Security News

Google has tripled the full reward amount for the first security bug report that includes a functional full chain exploit of its popular Chrome browser. Six months of higher rewards for a Chrome full chain exploit.

Google announced today that bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser are now eligible for triple the standard reward until December 1st, 2023. "The full chain exploit must result in a Chrome browser sandbox escape, with a demonstration of attacker control / code execution outside of the sandbox. The exploit scenario must be fully remote and the exploit able to be used by a remote attacker," Google explains.

Google Workspace has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say. "Google Workspace provides visibility into a company's Google Drive resources using 'Drive log events,' for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user," Mitiga's Ariel Szarf and Or Aspir explained.

A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. The first documented use of RomCom was reported in August 2022 by Palo Alto Networks, attributing the attacks to a Cuba ransomware affiliate they named 'Tropical Scorpius.

Cybersecurity Ventures reported there are 3.5 million unfilled cybersecurity positions worldwide this year, and 750,000 of them are in the U.S. In an attempt to address this, as well as the lack of diversity in cybersecurity, Google is offering a Cybersecurity Certificate training program for anyone, including those with no background in coding or computer science. The company said the Google Cybersecurity Certificate, part of the Google Career Certificates portfolio of Coursera classes, offers an alternative to high-ticket collegiate training in cybersecurity, which is a slow pipeline with a high cost of entry.

A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. In the background the trojan SDK checks the Android device's sensor data to confirm that it's not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps.

The Google Smart Lock application for iOS can use your iPhone as a security key to lock down your Google Account to provide extra security above and beyond two-factor authentication.In this tutorial, I'll show you how to set up this Smart Lock app and use it to lock down your Google Account's 2FA support.

A new security flaw has been disclosed in the Google Cloud Platform's Cloud SQL service that could be potentially exploited to obtain access to confidential data. "The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said.

Google on Wednesday announced the 0.1 Beta version of GUAC for organizations to secure their software supply chains. GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another.

Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code. Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and alerted Google, which pulled the app from its online store.