Security News

Google's FLoC mechanism for ad personalisation, currently being trialled in the Chrome browser, has been rejected as privacy-invasive tracking by other browser makers including Vivaldi and Brave. FLoC is part of what Google calls the Privacy Sandbox initiative, a proposal to "Support business models that fund the open web in the absence of tracking mechanisms like third-party cookies," according to now-retired Chrome engineering director Justin Schuh and product manager Marshall Vale in January.

A second Chromium zero-day remote code execution exploit has been released on Twitter this week that affects current versions of Google Chrome, Microsoft Edge, and likely other Chromium-based browsers. A zero-day vulnerability is when detailed information about a vulnerability or an exploit is released before the affected software developers can fix it.

Last month, Google announced plans to roll out a new privacy-focused feature called Federated Learning of Cohorts for the Chrome browser and ad serving websites. FLoC has been criticized by the Electronic Frontier Foundation and outright rejected by makers of Vivaldi and Brave browsers for its debatable claim of being a privacy-preserving technology.

Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan, used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT-tracked by eSentire as SolarMarker.

More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening business documents booby-trapped with a remote-access trojan that takes over victims' PCs and hands control to miscreants. Infosec outfit eSentire on Tuesday said it has noted a wave of so-called search redirection shenanigans, in which people Googling for business forms and the like are shown links to web pages published via Google Sites - a Google-hosted web service - that offer a download of whatever materials they were looking for.

As has become normal, Google did not provide any other details on the attacks or provide any IOCs to help organizations find signs of infection. So far in 2021, Google has rushed out fixes for at least three separate in-the-wild zero-day attacks.

A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.

A security researcher has dropped a zero-day remote code execution vulnerability on Twitter that works on the current version of Google Chrome and Microsoft Edge. While Agarwal states that the vulnerability is fixed in the latest version of the V8 JavaScript engine, it is not clear when Google will roll out the Google Chrome.

A new set of malicious Android apps have been caught posing as app security scanners on the official Play Store to distribute a backdoor capable of gathering sensitive information. "These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services," cybersecurity firm McAfee said in an analysis published on Monday.

An iPhone and Android app called NHS COVID-19 is the official iPhone and Android coronavirus contact tracing software for the vast majority of the population of Great Britain. Apparently, the government was keen to have an updated version of the NHS COVID-19 app ready in time, with added location tracking features that would allow users to share their location logs with the health service.