Search This Blog

Showing posts with label Google. Show all posts

Companies Use Email Tracking to Spy on Users

 

Opening the email causes the little image to load in your browser or application. When it happens, the image pings the site where it is kept. Google, Outlook, and Apple email clients all have built-in security measures that stop advertisers from following users around with their covert pixels. 

A line of code added to an email message creates a square image measuring 1 pixel by 1 pixel called an email tracking pixel. Since email tracking pixels are frequently transparent and positioned in a covert location in the header or footer of the email, the receiver is not immediately aware that they are there. 

Remarketing pixels, which show user-tailored advertisements across the Internet, are examples of tracking pixels in emails that perform more sophisticated, strategic tasks. 

Users never truly see the tracking graphic for two reasons. It is little, and since it is in GIF or PNG format, the business can keep it transparent and unnoticeable to the unaided eye. 

According to research, by correlating your location and device details, advertisers and other malicious attackers may be able to correlate your email activity with your browser cookies. Hackers can now track you anywhere you go online, link your email address to your internet history, and more because of this, which creates a terrifying scenario. 

How to prevent email tracking 

Even if it prevents you from loading family photos instantly, users must block all images that are included in the email.
  • Ask before viewing external images in Gmail's settings for pictures.
  • Outlook: You want options, options for external image blocking, options for the trust center, and automatic download.
  • Turn on Protect email activities in the privacy section of the iPhone and iPad settings by going to Apple Mail. Alternately, enable IP address concealment and disable all remote content.
Users can also attempt to increase the security of their email experience in another way. Lastly, one should think about routing all of the internet activities through a VPN connection. Users can get a private relay email account that will erase the trackers from the email before users open it. 

Google TAG Alerts on Rising Heliconia Exploit Framework for RCE

 

The Threat Analysis Group (TAG) at Google has discovered Heliconia, a cyberattack framework designed to exploit zero-day and n-day security flaws in Chrome, Firefox, and Microsoft Defender. It is likely linked to Variston IT, a gray-market spyware broker, demonstrating how this shadowy sector is thriving. The Heliconia threat is made up of three modules:
  • Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
  • Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
  • And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.
The threat was discovered after TAG received an anonymous submission to the Chrome bug reporting program. Further investigation revealed that the Heliconia framework's source code includes a script that refers to Variston IT, a Barcelona-based company that claims to provide "custom security solutions."

Commercial spyware is frequently sold by organizations claiming to be legitimate businesses for "law enforcement use." According to a TAG posting on Wednesday, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.

Researchers noted that Variston IT is firmly in the middle of this rapidly expanding market, which has seen sanctioning by the US and others against organizations such as the infamous NSO Group, creators of the Pegasus spyware.

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days


Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.






Apple and Google's Accused for Mobile Browser Monopoly Activities

The domination of Apple and Google in web devices and cloud gaming will be examined, according to the UK's authorities.

The Competition and Markets Authority announced on Tuesday that it is shifting forward on a market investigation it first suggested in June of how the companies regulate internet browsers for mobile devices and concerns that Apple restricts cloud gaming on its devices after receiving help in a public consultation.

The Competition and Markets Authority (CMA) found from market research conducted last year that they controlled the majority of mobile operating systems, app marketplaces, and web browsers.

If the 18-month study indicates an adverse impact on competition, the CMA may enforce modifications. However, the allegations are rejected by both businesses.

The authority announced on Tuesday that it is starting the investigation in part since the U.K. has put off giving its competition regulator new authority over digital markets, which is similar to what was recently passed in the European Union and which it claimed could help resolve those problems.

According to remarks released on Tuesday as part of the CMA's public consultation on its inquiry, some major IT rivals backed the investigation against Apple and Google. If nothing is done, Microsoft Corp. warned that Apple and Google's grip over its mobile ecosystems might pose growing challenges to the competition.






Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

Google Reaches an Agreement with 40 States Over Location Tracking Practices

 

Google has consented to a $391.5 million settlement with 40 states over its use of location tracking, according to Oregon Attorney General Ellen Rosenblum. Even when users thought they had turned off location tracking in their account settings, Google continued to collect information about their whereabouts, according to Oregon's Attorney General's office. 

Commencing in 2023, the settlement requires Google to be more transparent with users and provide clearer location-tracking disclosures. The settlement was led by Rosenblum and Nebraska Attorney General Doug Peterson. As per the release, it is the largest consumer privacy settlement ever led by a group of attorneys general.

“Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said Google spokesperson José Castañeda in a statement.

The basis of the investigation was revealed in a 2018 Associated Press report.

Rosenblum said in the release, “For years Google has prioritized profit over their users’ privacy. They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

Google paid $85 million to settle a similar lawsuit with Arizona last month, and the company is facing additional location tracking lawsuits in Washington, D.C., Indiana, Texas, and Washington state. According to the four AGs, Google was using location data for its ad business. 

The lawsuits instruct the court to order Google to hand over any algorithms developed with allegedly ill-gotten gains, as well as any monetary profits.

A Nearly $400 Million Fine Has Been Imposed on Google by the States

 

In a settlement over Google's location tracking practices, Google will have to pay close to $400 million to over 40 states. This is part of a $2.6 billion settlement to settle the matter as announced on Monday. 

Attorney General Rosenblum led an investigation into the multinational technology company that has its headquarters in Mountain View, California, along with Nebraska Attorney General Doug Peterson. According to the Oregon Attorney General's office, this is the largest consumer privacy settlement ever brought by an attorney general. 

In 2018, Rosenblum and other attorneys general started a bipartisan investigation into the company's practices based on an article published by the Associated Press. They found that Google had created confusing settings for consumers since at least 2014, and had been violating state consumer protection laws as a result. 

Rosenblum's office explained how the public was misled. According to the settlement agreement, Google misled its users into believing that they had turned off location tracking in their account settings. In fact, Google continued to collect their location information as indicated in the settlement. Further, in conjunction with the multimillion-dollar settlement, Google has agreed in the negotiations with the AGs to improve its user controls and disclosures about location tracking by 2023. 

To make sure users receive targeted advertisements, Google uses location data, as well as other types of personal information. In the view of Rosenblum's office, users' location data is among the most sensitive pieces of information that are collected by the company. This is because it is part of its attempt to create detailed profiles of them which can further be used in order to completely reveal the identity and routines of a person. 

In Rosenblum's view, "Google has prioritized profit over the privacy of its users for years. There has been a lot of deception and craftiness on their part. The company has been secretly recording the movements of consumers throughout the day and using that information for advertising purposes in spite of the fact that they thought they had turned off location tracking on Google." 

Besides paying $391.5 million, Google has also been ordered to make key information about location tracking unavoidable for users (not hidden). Google is now required to give users detailed information on a page titled “Location Technologies” about the types of location data it collects and how it is used. 

In addition to Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee, there were many other states that were part of the settlement. 

Among the states that have joined this settlement are Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin. 

"Consumer privacy is one of my office’s top priorities. That’s why it’s so significant to me that Oregon played a key role in this settlement," Rosenblum further stated. "Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls."

Google Acquires Alter, an AI Avatar Startup Two Months Ago


Tech giant Google has reportedly acquired Alter for around $100m in an effort to boost the content game. Alter is an artificial intelligence (AI) avatar startup that aids brands and creators in expressing their virtual identities. The acquisition also overlaps with Google’s plan of competing more aggressively with the short video platform, TikTok.  
 
Avatar, formerly known as ‘Facemoji’, essentially works with AI to create avatars for its social media users. The company started by assisting developers to create avatars for games and apps, later it rebranded as ‘Alter’ in 2020 and started helping businesses and creators generate avatars so as to build an online identity. Proficient in 3D avatar system designs, Alter empowers creators and businesses to create and monetize new experiences. 
 
The acquisition which was concluded approximately two months ago was made public only now as neither of the companies made an announcement until now. Notably, one of Google's spokespersons confirmed the accession but refused to provide details pertaining to the financial terms of the agreement.
 
With the acquisition, Google is aiming to integrate Alter’s tools to bolster its own arsenal of content, meanwhile providing Alter with new enhanced capabilities. Headquartered in the US and Czech, Alter is an open-source, cross-platform rendering engine that was jointly founded by Jon Slimak and Robin Raszka in 2017, who did not respond to a request for comment put forth by TechCrunch. 
 
The company’s advent marks a progression for web3 interoperability and the open metaverse as it adeptly works with code to modify and develop face recognition technology. 
 
According to the report, a part of Alter’s workforce has updated their new role, announcing that they have joined Google, however, an official public announcement is still pending. 
 
“Alter is an open source, cross-platform [software development kit (SDK)] consisting of a real-time 3D avatar system and motion capture built from scratch for web3 interoperability and the open metaverse. With Alter, developers can easily pipe avatars into their app, game or website,” as per the company’s LinkedIn page. 

Furthermore, in regard Google has also enhanced the emoji experience for its rather wide base of users, now offering personalised experience to them with the newly rolled out custom emojis for the web versions of Chat.

Google Cloud Delivers Web3 Developers for Blockchain Node Engine

The Blockchain still has more than 38 million customers in 140 countries worldwide, according to the Google Cloud website. In a news release, the business stated that the launch represents a resolve to aid Web3 developers in creating and deploying new products on platforms based on blockchain technology. 

Blockchains serve as a sort of decentralized database because they are made up of transaction data that is encrypted and permanently stored. The governing infrastructure is a node, which is a computer or server that holds the whole copy of the blockchain's transaction history in addition to depending on a central authority to confirm data.

Amit Zavery, GM and VP of engineering and platform, and James Tromans, director of cloud web3, announced the new service in a blog post that explained how difficult it is for blockchain nodes to stay in sync since they must continually exchange the most relevant blockchain data. It requires a lot of resources and data.

By providing a service model to handle node creation and a safe development environment in a fully managed product, Google Cloud aims to make it simpler. From Google's standpoint, it is far simpler to let them handle the labor-intensive tasks while you focus on creating your web3 application.

Additionally, Web3 businesses that need dedicated nodes can create effective contracts, relay transactions, read or write blockchain data, and more using the dependable and fast network architecture of Google Cloud. Organizations using Web3 benefit from quicker system setup, secure development, and managed service operations.

The goal of Google's blockchain service is to deploy nodes with the security of a virtual private cloud firewall that restricts networking and communication to vetted users and computers. The ability to access the notes from processes like distributed denial of service assaults will be restricted by other services like Google Cloud Armor.

Gains from Node Engine

The majority will adopt this method after Ethereum, which will employ it first. The following are some advantages that businesses could gain from using this Google Cloud Node Engine.

It takes a significant amount of time to manually node, and it can prove difficult for a node to sync with the network. However, the developers can deploy nodes using Google Cloud's Node Engine in a single transaction, simplifying and speeding up the procedure.

In the realm of cryptocurrency, data security is of utmost importance. The developers will benefit from the Engine Node's assistance in protecting their data and preventing illegal access to the nodes. Additionally, Google Cloud shields the nodes from DDoS assaults, just like Cloud Armor.

This development seeks to "assist enterprises with a stable, easy-to-use blockchain node web host so they can focus their efforts on developing and scaling their Web3 apps," according to Google Cloud's official website.

An approved group fully manages the Google Cloud Engine Node. The staff will administer the system during an outage, therefore you will have no concerns about availability. Nodes need to be restarted and monitored during an outage; the group will take care of it for clients.

Android Spills Wi-Fi Traffic When VPNs Are Enabled

Regardless of whether the Block connections without VPN or Always-on VPN options are turned on, Mullvad VPN has found that Android leaks traffic each time the device links to a WiFi network. 

Source IP addresses, DNS lookups, HTTPS traffic, and most likely NTP traffic are among the items that are being leaked outside VPN tunnels. With the help of a VPN, encrypted data can flow anonymously and be untraceable between two sites on the internet. Consider passing a ping pong ball to someone else across a table as an example. The ball is freely available for third parties to take, manipulate, and return to their intended location. It would be far more difficult to intercept the ball if it were to roll through a tube. 

Information is difficult to obtain because data goes through VPNs similarly. The source and destination of the data packet are likewise obscured because it is encrypted. The Android platform was intentionally designed with this behavior. However, due to the erroneous description of the VPN Lockdown functionality in Android's documentation, users were probably unaware of this until now.

The finding was made by Mullvad VPN while conducting an unpublished security check. The supplier has submitted a feature request to Google's Issue Tracker to fix the problem. A Google developer, however, stated that the functionality was working as intended and that Google has no plans to change it.

"We have investigated the feature request you have raised, and we are pleased to inform you that everything is operating as intended. We don't believe there is a compelling reason to offer this because we don't believe most consumers would grasp it," the Google engineer added.

Unfortunately, Always-on VPN is not totally functioning as intended and contains a glaring weakness, according to a Swedish VPN company by the name of Mullvad. The issue is that Android will send a connectivity check, every now and then to see whether any nearby servers are offering a connection. Device information essential to connectivity checks includes IP addresses, HTTPS traffic, and DNS lookups. Even with Always-on VPN turned on, anyone monitoring a connectivity check could view bits of information about the device because none of this is encrypted since it doesn't travel over the VPN tunnel.

The traffic that escapes the VPN connection contains metadata from which critical de-anonymization information, such as the locations of WiFi access points, may be derived.

The blog post by Mullvad explains that "the connection check traffic could be observed and evaluated by the party controlling the interconnect check server and any entity noticing the network traffic. Even if the message only indicates that an Android device is connected, the metadata, which includes the source IP, can be used to derive additional information, especially when combined with information like WiFi access point locations."

People who use VPNs to shield themselves from persistent attacks would still perceive the risk to be high, even though this is difficult for inexperienced threat actors. Mullvad adds that even if the leaks are not rectified, Google has to at least update the documentation to accurately state that the Block connections without VPN function would not safeguard Connectivity Checks. 

Mullvad is still discussing the data leak's relevance with Google and has requested that they make it possible to turn off connectivity checks and reduce liability points. Notably, this option has the intended capability thanks to GrapheneOS, Android-based anonymity and safety os version that can only be utilized with a select few smartphone models.

Meta: Users Warned Against Android, iOS Apps That Are Stealing Facebook Passwords

As per the report published by Facebook parent Meta on Thursday, as many as a million Facebook users have been warned of the seemingly malicious application, they may have been exposed to. The Android and iOS malware is designed to steal passwords from social networking sites. 
 
This year so far, Meta has detected more than 400 fraudulent applications, and structures for Apple or Android-powered smartphones. The malicious apps are apparently made available at the Play Store and App Store, says director of threat disruption, David Agranovich during a briefing. 
 
"These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them," states Meta in a Blog post.  
 
Reportedly, the fraudulent apps ask Facebook users to log in with their account information, enticing them with certain promising features. Ultimately, stealing user passwords and other credentials, if entered.  
 
"They are just trying to trick people into entering in their login information in a way that enables hackers to access their accounts [..] We will notify one million users that they may have been exposed to these applications; that is not to say they have been compromised," mentions Agranovich. 
 
With regard to these activities, Meta stated that it has shared information about the malicious apps with both Apple and Google, which controls the activities of their respective app shops.  
 
Considering this, Google said that most of the malicious apps mentioned by Meta have already been identified and removed from its Play Store by its vetting systems.  
 
"All of the apps identified in the report are no longer available on Google Play," a spokesperson told AFP. "Users are also protected by Google Play Protect, which blocks these apps on Android." 
 
On the other hand, Apple has yet not responded to questions about whether it took any action against the aforementioned apps. In the blog post, Meta also alerts internet users about certain activities they may unknowingly perform, that could leverage the threat actor.  
 
"We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts," the blog post notes.

Google Kills its Game Streaming Service Stadia, Will Refund Purchases


About Stadia

Google is closing down its video game streaming service, Stadia, in January 2023. All purchases will be reverted back and the tech will continue to be used in YouTube and other areas of its business, however, the app for customers and storefront will shut down after five years of its launch, piling in the existing dump of projects that Google has shut down. 

While Stadia's aim towards streaming games for customers was based upon a robust tech foundation, it failed to gain the traction with the users that Google expected, resulting in the difficult decision of shutting down Stadia's streaming service. 

Google's Response

Vice President Phil Harrison said that Google is grateful for the players that have been there since the beginning of Stadia. The company will give back all the in-game purchases done on Google Store, including game and add-on content purchases made via the Stadia store. 

Players will continue to have access to their games library and can play until January 18, 2023, so that they complete the final play sessions. 

The gaming industry giant further said that refunds will be completed by mid-January, emphasizing that while Stadia will die, the tech behind it will still be available to "industry partners" for other joint-ventures, like AT&T's latest attempt to launch Batman: Arkham Knight on smartphones using streaming. 

People had a hunch of Google's moves, but what is surprising has Ubisoft announced "Assassin's Creed Mirage" will stream on Amazon's Luna service, but not Stadia, the first game in the blockbuster series to do this. 

The rise and fall of Stadia

When Stadia was initially launched, Google talked a huge game back during the Game Developer Conference 2019, however, it was evident later that Stadia wasn't quite up for the game. 

The tech was impressive, however, major features were missing, and the launch library was not up to the mark. Stadia kept on adding new games, most of them bought a la carte, to make it a lucrative investment for the casual audience Stadia was made for. 

However, Xbox Game Pass surfaced and combined a giant library with a mere monthly fee. Stadia, on the other hand, was struggling to bring big games to its platform, spending tens of millions to lure games like Red Dead Redemption 2. 

Google's next ventures

It doesn't mean that Stadia was a flop since the beginning. Google's track record, and Stadia's own history, make one ask whether they even wanted to be in this thing in the first place. 

Stadia's first-party studios closed down last year, abandoning projects in the pre-production stage and leaving a few developers who moved to a different place feeling cheated by the company. 

Harrison says Google is committed to gaming and will keep on investing in new tools, tech, and platforms that give a boost to developers, industry partners, cloud customers, and creators. 


 Google Chrome Flaw Enables Sites to Copy text to Clipboard

A flaw in the Google Chrome browser and other Chromium-based browsers could enable malicious websites to automatically rewrite the contents of the clipboard without asking the user's permission or requiring any user involvement.

Developer Jeff Johnson claims that the clipboard poisoning exploit was unintentionally added to Chrome version 104.  Web pages can also write to the system clipboard in Safari and Firefox, but both browsers have gesture-based security measures in place.

The flaw has been spotted by Chrome developers, but a patch has not yet been released, therefore it is still present in the most recent desktop and mobile versions of Chrome.

Security flaw

Operating systems have a temporary storage area called the system clipboard. It can contain sensitive information like passwords, banking account numbers, and cryptocurrency wallet strings and is frequently used for copying and pasting.

Users are at risk as they may end up being the targets of malware attacks if arbitrary content is written over this temporary storage space.

Users might be lured to visit websites that have been carefully built to look like reputable bitcoin services by hackers. The website might write the threat actor's address to the clipboard when the user attempts to make a payment and copy their wallet address to the clipboard.

On some websites, the user may be given the option to add more information to the clipboard when selecting text to copy from a website typically the page URL. However, in such cases, there is no obvious notification or user input before the clipboard overflows with random text.

All online browsers that support clipboard writing, have poor and insufficient security measures, according to a blog post on the subject.

When a user selects a piece of text and presses Control+C or chooses 'Copy' from the context menu, the web page is given permission to utilize the clipboard API.

Johnson explained, "Therefore, even a seemingly innocent action like clicking a link or using the arrow keys to scroll down the page allows the website to overwrite one's system clipboard." He conducted tests on Safari and Firefox and discovered that loading a web page allowed clipboard writing permission when the down arrow key was pressed or the mouse scroll wheel was used to navigate.

Fortunately, Johnson's testing showed that websites could not misuse this authorization to read clipboard contents, as it would be problematic for user privacy.

Google Aims to Expand Bug Bounties to its Open Source Projects



What is OSS VRP Initiative

Google is planning to give out cash rewards for information on vulnerabilities found in any of its open source projects as a part of an undergoing attempt to strengthen the security of its open source code. The latest Open Source Software Vulnerability Rewards Program (OSS VRP), which adds to Google's Vulnerability Rewards Program, was declared in a blog post recently. 

According to DarkReading "Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021."

Google pays if you find the bug

Google is willing to pay experts up to $31,337 for giving details on vulnerabilities in open source software programs-specifically those administered by Google- that affect the firm's services and software. 

Google's aim is to protect its own software supply chain, but since many non-Google developers use the company's open source software- like Go programming language and Angular Web framework- the initiative assures to promote securing the wider open source ecosystem too. 

Initially, Google will emphasize critical and most widely used projects, Francis Perron says, who's an open source technical program manager at Google. He wants to provide a high-quality bug-hunting experience, so Google picked projects with enough maturity in their response and processes to test this program. 

The project aims to secure the software supply chain

Widening the scope will happen after Google compiles enough internal data and assures that it can scale up without ruining the projects and experts. Protecting the software supply chain is now a crucial thing for technology firms and policymakers. 

Earlier this year, the Biden administration met with open source organizations and technology firms to explore new ways to promote secure coding, finding more bugs, and speed patching of open source projects. 

In 2021, Google pledged to invest $10 Billion over five years, the favorite effort by the OpenSSF, bringing a cybersecurity advisory group and supporting its Invisible Security zero trust initiative. 

Google is proud to both support and is a part of the open-source software community. Through our existing bug bounty programs, we’ve rewarded bug hunters from over 84 countries and look forward to increasing that number through this new VRP, said Google. 

Nitrokod Crypto Miner Infected 111K+ Users with Replica of Popular Software

 

Nitrokod, a Turkish-speaking entity, has been linked to an ongoing cryptocurrency mining campaign that involves imitating a desktop application for Google Translate in order to infect over 111,000 victims in 11 countries since 2019. 

Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News, "The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click." 

The victims come from the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland. The campaign involves the distribution of malware via free software hosted on popular websites such as Softpedia and Uptodown. 

To evade detection, the malware postpones execution for weeks and distinguishes its malicious activity from the downloaded fake software. Following the installation of the infected program, an update executable is deployed to the disc, launching a four-stage attack sequence with each dropper paving for the next, until the actual malware is dropped in the seventh stage.

When the malware is executed, a connection is established to a remote command-and-control (C2) server to retrieve a configuration file to begin the coin mining activity.

The free fake software offered by the Nitrokod campaign is for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

Furthermore, the malware is dropped nearly a month after the initial infection, by which time the forensic trail has been erased, making it difficult to deconstruct the attack and detect it back to the installer.

Horowitz concluded, "What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan."

Austria: Google Breached a EU Court Order

The Austrian advocacy group noyb.eu complained to France's data protection authorities on Wednesday that Google had violated a European Union court judgment by sending unsolicited advertising emails directly to the inbox of Gmail users. 

One of Europe's busiest data regulators, the French CNIL, has imposed some of the largest fines on companies like Google and Facebook. The activist organization gave CNIL screenshots of a user's inbox that displayed advertising messages at the top.

The French word 'annonce,' or 'ad,' and a green box were used to identify the messages. According to the group, that type of marketing was only permitted under EU rules with the users' consent.

When referring to Gmail's anti-spam filters, which place the majority of unsolicited emails in a separate folder, Romain Robert, program director at noyb.eu, said, "It's as if the mailman was paid to eliminate the ads from your inbox and put his own instead."

Requests for comment from Google did not immediately receive a response. A CNIL spokeswoman acknowledged that the organization had received the complaint and was in the process of registering it.

The CNIL was chosen by Vienna-based noyb.eu (None Of Your Business) over other national data privacy watchdogs because it has a reputation for being one of the EU's most outspoken regulators, according to Robert.

Even while any CNIL ruling would only be enforceable in France, it might force Google to examine its methods there. 

Max Schrems, an Austrian lawyer and privacy activist who won a prominent privacy case before Europe's top court in 2020, formed the advocacy group Noyb.eu.

This year, the CNIL fined Google a record-breaking 150 million euros ($149 million) for making it challenging for people to reject web trackers. Facebook (FB.O), owned by Meta Platforms, was also penalized 60 million euros for the same offense.

The firms are constantly under investigation for their practice of transmitting the private details of EU citizens to databases in the US. Numerous complaints have been made by NOYB to authorities throughout the bloc, claiming that the practice is forbidden.

A crucial tenet of the European Union's data privacy policy and a primary goal for the CNIL is the prior agreement of Internet users for the use of cookies, which are small bits of data that aid in the creation of targeted digital advertising campaigns. 

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Onapsis Report: Flaws to be Fixed Immediately

CISA urged government organizations to fix the seven vulnerabilities it had added to its inventory on Thursday by September 8. The 'Known Exploited Vulnerabilities Catalog' is a list of CISA vulnerabilities that should be patched because they are known to be actively exploited in cyberattacks. 
List of vulnerabilities actively used by hackers, including the most recent security bugs from Apple. Google, SAP, and Microsoft.

Vulnerabilities

Onapsis disclosed the major SAP CVE-2022-22536 vulnerability in February and gave it a 10/10 severity level. CISA promptly alerted administrators of the need to fix the flaw because failure to do so could result in data loss, risks of financial fraud, disruptions of crucial business processes, ransomware attacks, and the cessation of all operations

The vendor addressed the issue in February in Web Dispatcher, Content Server 7.53, NetWeaver Application Server ABAP, NetWeaver Application Server Java, and ABAP Platform.

According to Doyhenard's research study, "both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be utilized by unauthenticated attackers to entirely compromise any SAP installation on the planet."

On Wednesday, Apple announced security upgrades for the CVE-2022-32893 and CVE-2022-32894 flaws in macOS and iOS/iPadOS, stating that these vulnerabilities might be used to execute code on unsecured devices.

Apple did not explain how the vulnerabilities were being exploited, however, given that CVE-2022-32894 permits code to be run with kernel privileges, it would enable total device takeover.

Google Chrome 104.0.5112.101, which was released on Tuesday, has a remedy for the CVE-2022-2856 vulnerability. Vulnerability researcher Hossein Lotfi found more information about the problem, albeit it hasn't been disclosed how hackers have used it in attacks.

Microsoft resolved the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but there is no data on how it is currently being used in the wild. However, CVE-2022-26923 affects Active Directory Domain Services and involves privilege escalation. Days after Microsoft issued a fix in May, PoC exploits started to surface.

Martin Doyhenard, an Onapsis researcher, will give a paper on exploiting inter-process communication in SAP's HTTP server on August 10 at the Black Hat conference and on August 13 at the Def Con conference. The 18-page document Onapsis published describing its findings is also available.

FCEB agencies are required to address the discovered vulnerabilities by the deadline to safeguard their networks from attacks that take advantage of the flaws in the catalog, as stated in Binding Operational Directive (BOD) 22-0: Reducing the Significant Risk of Known Exploited Vulnerabilities.

New Google Chrome Zero-Day Flaw Being Exploited in the Wild

 

Google launched patches for the Chrome browser for desktops on Tuesday that address an actively exploited high-severity zero-day flaw in the wild. The issue, identified as CVE-2022-2856, has been described as a case of insufficient validation of untrusted input in Intents. 

On July 19, 2022, security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with discovering the flaw. As is customary, the tech powerhouse has withheld further details about the flaw until the vast majority of users have been informed. 

"Google is aware that an exploit for CVE-2022-2856 exists in the wild," the company said aptly.

The latest update also addresses ten other security flaws, the majority of which are related to use-after-free flaws in various components such as FedCM, SwiftShader, ANGLE, and Blink. A heap buffer overflow vulnerability in Downloads has also been fixed.

This is the fifth zero-day vulnerability in Chrome that Google has fixed since the beginning of the year.
  • CVE-2022-0609 - Use-after-free in Animation
  • CVE-2022-1096 - Type confusion in V8
  • CVE-2022-1364 - Type confusion in V8
  • CVE-2022-2294 - Heap buffer overflow in WebRTC
To mitigate potential threats, users are advised to update to version 104.0.5112.101 for macOS and Linux, and 104.0.5112.102/101 for Windows. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as they become available.

Google Fined $60M+ for Misleading Australians About Collecting Location Data

 

Google was fined $60 million by the Australian Competition and Consumer Commission (ACCC) for deceiving Australian Android users about the collection and utilization of their location data for over two years, between January 2017 and December 2018. 

According to the Australian Competition watchdog, the tech giant continued to follow some of its customers' Android phones even after they deleted "Location History" in the device's settings. While consumers were misled to believe that option would deactivate location tracking, another account setting, "Web & App Activity," which was enabled by default, allowed the firm to "collect, retain, and use personally identifiable location data." 

According to the ACCC, based on available data, more than 1.3 million Australian Google accounts have been impacted. 

"Google, one of the world's largest companies, was able to keep the location data collected through the 'Web & App Activity' setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the "Location History" setting turned off," stated ACCC Chair Gina Cass-Gottlieb. 

"Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google." 

In October 2019, Australia's competition watchdog initiated proceedings against Google. The Australian Federal Court ruled in April 2021 that Google had violated the Australian Consumer Law by deceiving customers regarding the gathering and use of their location data. 

By 20 December 2018, Google has taken corrective action and resolved all faults that had led to this fine, with users no longer being shown deceptive information implying that halting location history will stop collecting information about the areas they go with their devices. 

"Companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used so that consumers can make informed decisions about who they share that data with," Cass-Gottlieb added.