Security News

Google says that it will block third-party Chromium web browsers from using private Google APIs after discovering that they were integrating them although they're intended to be used only in Chrome. This is because many of the Google APIs included in the Chromium code are specific only to Google Chrome and are not intended to be integrated and used by the users of derived Chromium products.

Google has removed 164 apps, downloaded a total of 10 million times, from its Google Play marketplace because they were delivering "Disruptive" ads, considered malicious. The problem continues to plague Google despite numerous efforts by the company to prevent "Malicious developers" from submitting their apps to its Google Play marketplace.

Now patched, the exploits took advantage of bugs in Windows, Chrome, and older versions of Android though watering hole attacks, says Google. In a series of blog posts published Tuesday, Google revealed that it discovered two malicious servers set to deliver different exploit campaigns through watering hole attacks.

Project Zero, Google's 0day bug-hunting team, revealed a hacking campaign coordinated by "a highly sophisticated actor" and targeting Windows and Android users with zero-day and n-day exploits. The Project Zero team, in collaboration with the Google Threat Analysis Group, discovered a watering hole attack using two exploit servers in early 2020, each of them using separate exploit chains to compromise potential targets.

The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP A700X chip, which acts as a secure element that stores the cryptographic secrets. The exploit allows an attacker to obtain the long-term elliptic curve digital signal algorithm private key designated for a given account.

In July 2018, after many years of using Yubico security key products for two-factor authentication, Google announced that it was entering the market as a competitor with a product of its own, called Google Titan. Security keys of this sort are often known as FIDO keys after the Fast IDentity Online Alliance, which curates the technical specifications of a range of authentication technologies that "[p]romote the development of, use of, and compliance with standards for authentication and device attestation".

Researchers have found a way to clone Google's Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment. A new attack method against such devices was described by researchers from NinjaLab, a France-based company that specializes in the security of cryptographic implementations.

Google has banned the conservative social networking app Parler from the Google Play Store for not removing posts that incite violence in the US. In a statement to BleepingComputer, Google stated that Parler was removed after repeated violations of policies that require Google Play apps to moderate user-generated content. Google Play Store policies require apps that display user-generated content to moderate and remove content that violates Google's policies, including threats of violence and harassment.

The vulnerability allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections. An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.

An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities.