Security News

Google this week released Chrome 80 to the stable channel with 56 vulnerability patches and various other improvements to user security. To better protect from cross-site request forgery attacks, Chrome 80 will enforce a new secure-by-default cookie classification system, where only cookies set as SameSite=None; Secure will be available in third-party contexts, as long as they are accessed from secure connections.

Chrome 80 emerged from Google this week with a few more nails to hammer into the coffin of the venerable File Transfer Protocol. It has been a death by a thousand cuts for FTP in Chrome.

Google is potentially facing a massive privacy and GDPR row over Chrome sending per-installation ID numbers to the mothership. "This Chrome-Variations header will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation," Google explains in a paper describing Chrome capabilities.

Google Chrome extension developers have been left high and dry for weeks as the company struggles to cope with a spike in fraud on the Chrome Web Store. Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users.

After observing an increase in the number of fraudulent transactions, Google over the weekend announced that it halted the publishing of paid items to the Chrome Web Store. "Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users. Due to the scale of this abuse, we have temporarily disabled publishing paid items," Simeon Vincent, extensions developer advocate at Google, explains.

UPDATE. Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions. In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component - those that are paid for, offer in-browser transactions and those that offer subscription services.

On Saturday, Google temporarily disabled the ability to publish paid Chrome apps, extensions, and themes in the Chrome Web Store due to a surge in fraud. "Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users," said Simeon Vincent, developer advocate for Chrome Extensions, in a post to the Chromium Extensions forum.

New versions of the ransomware now sniff out saved credentials for Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome and Microsoft Outlook. FTCODE, a PowerShell-based ransomware that targets Italian-language users, has added new capabilities, including the ability to swipe saved web browser and email client credentials from victims.

Google doesn't want to block third-party cookies in Chrome right now. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome.

Google is aiming to phase out third-party cookies in Chrome in two years, but that will have to prove palatable to users, publishers, and advertisers. In its post, the search giant said it plans to phase out support for third-party cookies in Chrome within the next two years.