Evidence is emerging that a barely noticed change made to Chrome 80, released on 4 February, might have disrupted the hugely successful data and user profile stealing malware AZORult.
AZORult first appeared in 2016, since then it has been used to thieve huge amounts of information from victims, including everything from cryptocurrency data, passwords, web browsing history and cookies, to credentials for FTP clients, desktop Telegram, and Skype chats.
You name it, AZORult will try to steal it, often posing as legitimate software such as the installer for ProtonVPN.
The malware went into a relative decline in 2018. And now, according to research by Israeli security company Kela, chatter on crime forums suggests cybercriminals believe that Chrome 80’s move to encrypt locally saved passwords and cookies using AES-256 has killed the malware’s attempts to steal data for good.
When running on Windows, Chrome previously relied on Microsoft’s systemwide Data Protection API (DPAPI), which has proved susceptible to popular credential cracking tools such as Mimikatz.
“All the older cracked versions of different stealers are finished,” Kela translates a Russian language commenter on a crime forum as having said.
Credential drought
Apparently, AZORult’s problem is that in the wake of growing fragmentation, its development seems to have stalled. Other data stealers such as Racoon and Kpot are said to have evolved to cope with the change, although how successfully is not explained.
The evidence for AZORult’s demise is supported by Kela’s figures showing that the Genesis crime market where user profiles and credentials are traded has seen a sudden and dramatic drop in those connected to AZORult.
Genesis is viewed by some security companies as one of the most innovative crime marketplaces because it trades mostly in user ‘fingerprints’ that criminals can use to emulate or spoof victims. This includes unique aspects of their browsing behavior, IP address, software installation and computer hardware.
Until now, the go-to for that has been AZORult. In an interview with ZDNet, Kela’s Raveed Laeb said that the Genesis database of stolen credentials had gone down from 335,000 to around 230,000 in a matter of weeks.
While the marketplace is unlikely to disappear, Chrome’s evolution is likely to spell the death knell for AZORult, at least:
With no apparent heir to fix the deep issues caused by the new Chrome update, it seems that actors – if we’re extrapolating from Genesis – have actually decided to move on to new stealers.
Chrome’s switch to AES-256 also affects other browsers based on Chromium, including Microsoft’s new Edge browser, Opera and Brave.
The only way for AZORult to adjust to this change would be to patch the original source code, but this is no longer available.
Nevertheless, the data stealing function of AZORult will be taken up by plenty of willing rivals. It’s a case of one down, plenty more to go.
Are browser password managers safe?
Demonstrably not. Which is why the easiest way to dodge the issue of browser password manager weaknesses is not to use them at all, opting instead for a full-blown password manager.
Unlike browsers, these are extensions dedicated to the job of securing passwords. They offer more sophisticated security design, and will work across different platforms, browsers and computers. The additional security they offer over browser password stores is more than worth the minimal time spent setting them up.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days.
The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities, all of which have been marked ‘HIGH’ in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild.
The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows:
Integer overflow in ICU — Reported by André Bargull on 2020-01-22
Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18
The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities — CVE-2020-6407 and CVE-2020-6418 — were identified by experts from the Google security team.
Google has said CVE-2020-6418, which stems from a type confusion error in its V8 JavaScript rendering engine, is being actively exploited, although technical information about the vulnerability is restricted at this time.
The search giant has not disclosed further details of the vulnerabilities so that it gives affected users enough time to install the Chrome update and prevent hackers from exploiting them.
A successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system.
It’s recommended that Windows, Linux, and macOS users download and install the latest version of Chrome by heading to Help > “About Chrome” from the settings menu.
Google Chrome’s seamless updates have long been a big part of its appeal. But perhaps not anymore. With the latest version of Chrome already installed on hundreds of millions of computers and smartphones around the world, a significant warning has been issued that you might not like what it has running inside.
Google Chrome is now running a process inside it which make may users uncomfortable.
SOPA Images/LightRocket via Getty Images
Picked up by The Register, Chrome 80 (check your version by going to Settings > About Chrome) contains a new browser capability called ScrollToTextFragment. This is deep linking technology tied to website text, but multiple sources have revealed it is a potentially invasive privacy nightmare.
To understand why requires a brief guide to how ScrollToTextFragment works. The simple version is it allows Google to index websites and share links down to a single word of text and its position on the page. It does this by creating its own anchors to text (using the format: #:~:text=[prefix-,]textStart[,textEnd][,-suffix]) and it doesn’t require the permission of the web page author to do so. Google gives the harmless example:
“[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat’s diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”
The deep linking freedom of ScrollToTextFragment can be very useful for sharing very specific links to parts of webpages. The problem is it can also be exploited. Warning about the development of ScrollToTextFragment in December, Peter Snyder, a privacy researcher at Brave Browser explained:
“Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
And it was Snyder who spotted that ScrollToTextFragment is now active inside Chrome 80 stating that “Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a ‘don’t break the web’, never-cross, redline. This spec does that.”
Google Chrome 80 is seamlessly updating on hundreds of millions of devices around the world
Gordon Kelly
David Baron, a principal engineer at Mozilla, maker of Firefox, also warned against the development of ScrollToTextFragment, saying: “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.”
Defending the decision, Google’s engineers have issued a document outlining the pros/cons of the deep linking technology in ScrollToTextFragment and Chromium engineer David Bokan wrote this week that “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in.”
Bokan says the company will work on an opt-out option, but how many will even know ScrollToTextFragment exists? And here lies the nub of it: Google has such power it can be judge and jury to decide what is or isn’t acceptable. So ScrollToTextFragment, with its unresolved privacy concerns and lack of support from other browser makers, is now out there, running in the background of hundreds of millions of Chrome installations.
Source: National Cyber Security – Produced By Gregory Evans Chrome is protecting and Sonos is disconnecting, but first: a cartoon about the new big screen. Here’s the news you need to know, in two minutes or less. Want to receive this two-minute roundup as an email every weekday? Sign up here! Today’s News Don’t ignore […]
View full post on AmIHackerProof.com
2019 was a great year for Google Chrome. Despite a hiccup where an experimental update broke it temporarily, it has remained the world’s most popular browser, and is currently rendering sites for between 48% and 64% of web users (depending on who’s counting).
Google isn’t resting on its laurels though, and has lots of new features in teh works for 2020. Here are the ones you should be looking out for, including some we want wait to try, and a few that might prove to be a step in the wrong direction.
Google is still ironing out a few bugs with how the browser looks and renders pages in dark mode, but we anticipate the Android version will be ready for public release in the first quarter of 2020, with an iOS release soon after.
Parallel downloading
Another feature that’s accessible through chrome://flags is parallel downloading. This effectively splits files into several parts, which are downloaded simultaneously. It’s the same technique stand-alone download managers use to help you grab files faster, and would be a welcome addition to Chrome, particularly now that fiber broadband is becoming more commonplace. Keep an eye out for it appearing in 2020.
Page sharing via QR codes
This feature is on its way, but it’s not necessarily something we’re particularly looking forward to. Chrome Canary users recently gained the ability to share webpages with one another via QR codes. The code is generated on one device, and can be scanned using the camera on another.
It’s not a totally novel way to share sites (Opera has offered the same thing for ages), and we’re not big fans of QR codes. You have to download a dedicated app to scan them, and there’s no way of telling where they’ll lead before you do so. The potential for phishing is huge. We’d prefer to share sites with people we trust via a messaging app.
The old Chrome tab switcher on the left, and the redesigned version on the right (Image credit: Google)
A new tab switcher
Currently, when you want to change tabs in Chrome on your phone or tablet, you tap a button to bring up the tab switcher and take your pick from a set of large ‘cards’ showing all the pages you have open. It’s simple and effective, but that could all change in 2020 with the introduction of a new tab switcher that adds a whole lot of new options to the same screen.
The new tab switcher is being tested in the Dev and Canary builds of Chrome, and although it may change before it becomes part of the release version, it looks pretty polished. In addition to small previews of each open tabs, it features (take a deep breath) a Google logo front and center, an Incognito mode toggle, a set of links to recently visited sites, a search bar, an options menu, and a button for creating new tabs. An improvement? We’re not so sure.
Naming and shaming slow websites
This is a feature proposed by a group of Chrome developers, who claim “the web can do better” when it comes to user experiences. The idea is that websites that load particularly slowly will be labelled in some way to warm users that they’re going to be waiting around for a while, and might prefer to look for content elsewhere. This warning could take the form of a splash screen, information that appears in a context menu when you right-click, or a little green progress bar to indicate that a site is particularly speedy.
There’s no guarantee that such labels will appear in 2020, but Google is putting a lot of effort into pushing its best practice guidelines for web developers, so we wouldn’t be surprised to see something along these lines in the near future.
A built-in password manager
This feature is purely speculative, but it’s one we’d like to see. At the tail end of 2019, Google unveiled a new tool that will warn you if any of your online account details have been revealed in a recent data breach. It’s a handy feature, and bears a strong similarity to Firefox Monitor.
We wouldn’t be surprised if Google decides to follow in Mozilla’s footsteps and also release its own password manager in 2020, helping keep your accounts secure from phishing attempts and avoid the temptation to re-use passwords for multiple different services. Perhaps it could even be combined with Google Drive, allowing you to move sensitive files from Drive into a secure, encrypted vault along with your passwords.
Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.
Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.
Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.
The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.
The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.
The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.
When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.
Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.
This double encryption is part of a technique called private set intersection with blinding. It tries to match the login credentials you entered against Google’s database of hacked usernames and passwords.
For your privacy, Google doesn’t do this matching itself. Instead, it sends a small part of its encrypted hacked credentials database back to Chrome, along with your double-encrypted login credentials (which you’ll remember have now been encrypted twice). Chrome removes the encryption it applied to your login credentials using your own key, leaving only Google’s encryption in place. It then tries to match those hashed encrypted credentials against the small subset of the database that it received from Google. If it finds one, then your credentials have been hacked.
Google knows which small subset of the database to send back because your browser also creates a hash of the username you tried to enter into the website. It sends part of that hash to Google along with the other data. Google uses that snippet of your hashed username to select the part of its database including the same snippet in the index.
It’s an ingenious system, and as long as you feel you can trust the encryption (and Google), then it looks like a good way to automate hacked password detection. It will alert you that your credentials have been pwned at the point in time when you’re most likely to do something about it – when you’re trying to log into the site.
As with all password breaches, you should change your password if Chrome does discover a match, and turn on multi-factor authentication if the hacked site makes it available, to prevent a possible attack. You should also avoid reusing passwords across multiple sites so that attackers won’t be able to unlock your other accounts with a hacked password. You can make that easier by using a password manager with a built-in password generator.
Attention! Are you using Chrome as your web browsing software on your Windows, Linux and Mac? High time you update your browser!!
That’s right. With Google recently releasing Chrome version 78.0.3904.87 for Windows, Mac, and Linux, there come’s an urgent warning, requesting billions of users to update their software immediately. The warning comes after news of hackers exploiting two high-severity zero-day vulnerabilities. Apparently, the new Chrome version addresses these vulnerabilities.
What are these zero-day vulnerabilities?
According to Google, the following 2 zero-day vulnerabilities have been detected:
CVE-2019-13720 – This is basically a use-after-free-bug that has been detected in the audio component of Chrome.
CVE-2019-13721 – This again is a user-after-free security vulnerability and affects the PDFium library. This is basically used to view and generate PDF files in your browser, a feature that is commonly required by users.
How do these vulnerabilities work?
A user-after-free security vulnerability is basically a memory-corruption flaw that allows modification or corruption of memory data, allowing a hacker to take control of an affected software or system. All that the remote attackers need to do, is to escalate privileges on your Chrome web browser by convincing you to click and visit a malicious website. This instantly allows attackers to run malicious code on your affected system while bypassing any sandbox protections.
How can you protect yourself?
The use-after-free vulnerability has been existing in the wild for quite some time now and is one of the most commonly discovered vulnerabilities. Thus, the chances of it reappearing in frequent periods are high.
Thankfully, Google has already released an update for this new Chrome version, to patch this active zero-day vulnerability and the stable channel has been updated to 78.0.3904.87. So now, all you need to do is to Click on the update arrow visible at the top-right corner of Chrome browser. Once you have successfully updated to the latest version of Chrome across your desktop and mobile, you will become safe from these vulnerabilities.
Such security bugs and vulnerabilities are bound to appear and reappear from time to time. It is for this reason that Quick Heal strongly recommends that you keep your web browser and security products up-to-date and follow best security practices for optimum defense against the rising/evolving threats and zero-day vulnerabilities.
Have something to add to this story? Share it in the
Google yesterday updated Chrome to patch several vulnerabilities, including a bug in the browser’s JavaScript engine that a Chinese team tried to exploit at a recent hacking contest. The update to version 57.0.2987.133 contained fixes for five vulnerabilities, one marked …
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans A number of people have taken to their social media accounts to warn against a new hack, which is targeting Google Chrome users. Those affected reported seeing a pop-up, prompting them to download and install a ‘missing font’ file. Clicking … The post Hackers target Google […]
LIFE HACKER – Jan 19 – Tab Dating is a simple add-on: users log-in with Facebook details, and then set up a profile adding photos and a brief description to receive matches right in their browser. Read More….