Security News

For the third time in a year, Google has fixed a Chrome zero-day that is being actively exploited by attackers in the wild. No details have been shared about the attacks and about the flaw itself, apart from the short description that says it's a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.

Google today published a blog post recommending mobile app developers to encrypt data that their apps generate on the users' devices, especially when they use unprotected external storage that's prone to hijacking. The open-sourced Jetpack Security library lets Android app developers easily read and write encrypted files by following best security practices, including storing cryptographic keys and protecting files that may contain sensitive data, API keys, OAuth tokens.

Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities - and exploit code for one of them is already public, so get patching. Interestingly enough, at the time, this public source-code tweak was spotted and studied by Exodus Intelligence researchers István Kurucsai and Vignesh Rao, who hoped to see whether it's still practical to identify security bug fixes among code changes in the Chromium source tree and develop an exploit before the patch sees an official release, a practice known as patch-gapping.

Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities - and exploit code for one of them is already public, so get patching. Interestingly enough, at the time, this public source-code tweak was spotted and studied by Exodus Intelligence researchers István Kurucsai and Vignesh Rao, who hoped to see whether it's still practical to identify security bug fixes among code changes in the Chromium source tree and develop an exploit before the patch sees an official release, a practice known as patch-gapping.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122.

A simple Google search could lead people to invite codes that would let them find and join private WhatsApp group chats, given that the pages were indexed by Google. This is past tense, at least for Google search: as of Saturday, WhatsApp tweaked the glitch out of existence, though the search was still working on other, major search engines as of today.

New Mexico Attorney General Hector Balderas is suing Google over its alleged slurping of students' data off of the free Chromebooks it passes out to needy schools and from its free G Suite for Education products, including Gmail, Calendar, Drive, Docs, Sheets, and other apps. According to the complaint, which was filed in the US District Court for the District of New Mexico on Thursday, Google has marketed its suite - formerly known as Google Education - to schools, parents and children as a "Free and purely educational tool", but in actuality, it comes "At a very real cost that Google purposefully obscures."

A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability.

A group of business email compromise scammers that targeted thousands in the United States employed Google's G Suite for their infrastructure, Agari reports. Active since at least 2013, the group engaged in check fraud schemes in 2014, and has sent out thousands of fake checks since then, "Adding up to millions of dollars in fraudulent funds using this scheme and others like it," Agari says in their report.

Google's reCAPTCHA Enterprise and Web Risk API get a general release; Chronicle Security gets boosts from new threat detection and timelining features. Google has made a number of security announcements at RSA 2020, including upgrades to its Chronicle Security platform and the general release of its reCAPTCHA Enterprise and Web Risk API tools.