Security News

This use of Google Forms by cybercriminals is not new and is routinely observed in credential phishing campaigns to bypass email security content filters. In this attack, the use of Google Forms may also prompt an ongoing dialogue between the email recipient and the attacker - setting them up as a victim for a future BEC trap, researchers say.

Attackers behind a recently discovered phishing campaign have unintentionally left more than 1,000 stolen credentials available online via simple Google searches, researchers have found. While this is and of itself is not atypical of phishing campaigns, attackers made a "Simple mistake in their attack chain" that left the credentials they'd stolen exposed to the "Public Internet, across dozens of drop-zone servers used by the attackers," researchers said.

Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google index the stolen passwords for public searches. The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages.

Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms. The research, published Tuesday, identifies a common denominator within chat platforms, called "Calling state machine", which acts as a type of dial tone for messenger applications.

Google has added a new feature to the Chrome web browser that will make it easier to check if their stored passwords are weak and easy to guess, exposing users to brute force attacks or password cracking attempts. Google Chrome allows creating, storing, and filling your passwords with a mouse click while browsing the web using a built-in password manager.

Although a majority of the messaging apps today rely on WebRTC for communication, the connections themselves are created by exchanging call set-up information using Session Description Protocol between peers in what's called signaling, which typically works by sending an SDP offer from the caller's end, to which the callee responds with an SDP answer. Not only did the flaws in the apps allow calls to be connected without interaction from the callee, but they also potentially permitted the caller to force a callee device to transmit audio or video data.

Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to listen to users' surroundings without permission before the person on the other end picked up the calls. The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.

A bug in Google Search is causing a browser tab to freeze when searching between a specified range of dates. Google has a search feature under the Tools > Any Time drop-down menu that allows you to search for content published within a specific date range.

Google has released Chrome 88 today, January 19th, 2021, to the Stable desktop channel, and it includes security improvements and the long-awaited removal of Adobe Flash Player. Chrome 88 is now promoted to the Stable channel, Chrome 89 is the new Beta version, and Chrome 90 will be the Canary version.

Review your recent Gmail access, browser sign-in history, and Google account activity to make sure no one other than you has used your account. The following steps can help you figure out if someone, other than you, is accessing your Gmail or Google account.