Security News

That spike in users also exposed a growing list of security flaws: Zoom bombing trolls have emerged, user email addresses and photos have leaked, calls aren't being end-to-end encrypted, and flaws found in the Zoom installer allow an attacker to gain root access to computers that run a malicious version of it. These security flaws have prompted some organizations, companies, governments, government agencies, and schools to ban Zoom or restrict its use.

Google has removed an Android VPN program from the Google Play store after researchers notified it of a critical vulnerability. VPNpro, a company that reviews and advises on VPN products, warned in February of a vulnerability in the product that could cause a man in the middle attack, enabling an intruder to insert themselves between the user and the VPN service.

Cloudflare on Wednesday said it is ditching Google's reCAPTCHA bot detector for a similar service called hCaptcha out of concerns about privacy and availability, but mostly cost. The biz held a bake-off to pick a new provider, and settled on hCaptcha, a service released last year as an alternative to reCAPTCHA. According to Prince and Isasi, hCaptcha doesn't sell personal data and made commitments to use info collected from Cloudflare only to improve the service.

Google has finally added the Eyes Open requirement for Google Pixel 4 Face Unlock. The Google Pixel 4 facial recognition feature is already one of the finest on the market.

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. "The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google notes in an advisory.

Two schoolchildren have sued Google, alleging that it's illegally collecting their voiceprints, faceprints and other personally identifiable information. In order to use those apps, the kids had to speak into the laptop's audio recording device so Google could record their voices, and they had to look into the laptop's camera so Google could scan their faces.

Google last week announced that it has started rolling back a cross-site request forgery protection introduced in early February with the release of Chrome 80 in the stable channel. Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven't declared a SameSite value being treated as SameSite=Lax cookies.

Kaspersky has detailed its takedown of a massive so-called watering-hole attack appearing to target certain folks in China, in the top story in The Reg's infosec roundup that looks at issues of the past week beyond our own detailed coverage. "We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected," said Kaspersky researcher Ivan Kwiatkowski.

On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux.

Attivo Networks, the award-winning leader in deception for cybersecurity threat detection, announced the availability of its ADSecure solution for Google Cloud's Managed Service for Microsoft Active Directory. The Google Cloud team has reviewed the Attivo solution that operates and reduces the risk of attack escalation for organizations running Active Directory with Google's managed service.