Google Chrome Warning Issued For Most Windows PC Users
Beware this hidden Chrome threat.
This is another interesting month for Google's 3 billion Chrome users, with a U.S. government mandate to update all browsers by June 26 and another update warning this week as further vulnerabilities are discovered. But there's a very different Chrome threat to your PC, and it's much more difficult to find and fix.
Already this month we have been warned by LayerX that 'a network of malicious sleeper agent extensions" are 'waiting for their 'marching order' to execute malicious code on unsuspecting users' computers.' A huge number of Chrome users have at least one extension installed, which is one of the browser's biggest security risks.
Now Symantec warns that some of the most popular extensions it has analyzed, 'expose information such as browsing domains, machine IDs, OS details, usage analytics, and more.' The research team says 'many users assume that popular Chrome extensions adhere to strong security practices,' but that's just not the case.
Symantec found that even some big-brand extensions 'unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information.'
More alarmingly, 'because the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping.'
Bugcrowd's Trey Ford told me 'this is a very common way to compromise browsers for various outcomes, ranging from stealing credentials and spying on users, to simply establishing ways to very uniquely identify and track users across the internet. Ultimately this can manifest as a form of malware, and unavoidably create new attack surface for miscreants to attack and compromise a very secure browsing experience.'
There's no easy answer to this one. Symantec says that while 'none of [the extensions] appear to leak direct passwords,' the data can still fuel attacks. 'The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks.'
Symantec notified the developers behind the tested extensions (details in its report.) 'The overarching lesson,' the team says, 'is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share.'
According to Keeper Security's Patrick Tiquet, 'this highlights a critical gap in extension security,' if and when 'developers cut corners.' He warns that 'transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks.'
The risk is especially acute for enterprises. 'Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behavior across endpoints. Just because a browser extension is very popular and has a large user base doesn't mean it's secure. Businesses must scrutinize all browser extensions to protect sensitive data and identities.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
30 minutes ago
- Yahoo
Crypto legislation just had a 'gigantic' week. Here's why.
Bitcoin (BTC=F) is holding above $100K despite market jitters tied to tensions in the Middle East. Axios crypto reporter Brady Dale joins Morning Brief host Brad Smith to break down the pivotal week in crypto legislation and what congressional stablecoin action could mean for bitcoin. To watch more expert insights and analysis on the latest market action, check out more Morning Brief here. Bitcoin is still holding above the $100,000 level but losing some ground as stocks slump amid increasing Mideast tension. We're taking a look at crypto-related stocks as well, including Coinbase, also largely lower along with the broader market. So does this spell the end of the Rico rally for right now, or could impending legislation. And a crypto friendly administration proved to be a boost. I wanna bring in Brady Dale, Axio's crypto reporter here. Brady, good to have you back on the program with us. Just take us into your evaluation of what the mindset around riskier portions of the investment thesis, riskier assets like crypto, especially within the broader playing out of the Middle East tensions right now, how that is typical and what we should expect this time around. Yeah, I mean, I think probably what investors are looking at is does this war get a lot worse? And so I think that's why some people backed out. Now, keep in mind, the amount that, uh, Bitcoin is down right now is roughly 2% and, in the crypto markets, that could have just been like a very lackluster Tuesday. You know, I mean, the markets can easily move that much on nothing at all. So really this is kind of a smaller shift down than I would have. Expected for something that could end up being so much bigger than it has become so far. Yeah, certainly. It's also been a big week we know for cryptocurrency. You've got everyone from the president even opining in and weighing in. I saw our own Brian Sazi, executive editor, post a video where even at the most recent conference that was taking place here in New York, there is still within the conversation this willingness or want and desire. To make sure that the administration is positioning itself as continuously crypto friendly, how's that playing out? I mean this was a gigantic week in crypto legislation, um, you know, more in the Congress side, um, genius, the Genius Bill, which is about stablecoins, uh, got a cloture vote for a second time in the Senate, teamed up for a very likely final passage vote sometime I think we're looking at Tuesday right now, uh, and so that's been a big fight in the Senate and then over in the House, uh, two different committees, uh, the Ad committee and the House Financial Services Committee. Voted the Clarity Act to the floor, and that's an act that would just sort of decide how disclosures and regulations would work for cryptocurrency. And then on top of that, the final big regulator got a hearing in the in the Senate, Brian Quintends the CFTC. So it was a gigantic week in crypto legislation. If the stablecoin legislation is able to move forward, what what does that mean for, of course, the poster child of crypto in in Bitcoin? Uh, yeah, that is the big interesting question. You know, historically, thus far, when, uh, there has been more activity of really any kind in the cryptocurrency market, like, you know, your viewers might remember the ICO craze of 2017, which was really all about Ethereum, that drove a ton of, uh, value to Bitcoin regardless. So that's what we'd expect. But you know, it could be that these things are starting to decouple. You know, stablecoins are a financial utility. People can use them for a lot of reasons that have nothing to do with Bitcoin, so it could be that stablecoins explode and we see a modest bump to Bitcoin, but no direct gigantic gain. Or it could be that the explosion of stablecoins brings a lot more energy to Bitcoin. We just, we just don't know right now. I mean, we're entering into a very new world. Yeah, I imagine some of the prominent profiles that were promoting ICOs, and then got dinged by the SEC certainly remember that period very well. Barry, thanks so much for taking the time. Thank you.
Yahoo
30 minutes ago
- Yahoo
Alinea is helping Gen Z get started on their investing journey
Alinea, an investment platform geared toward younger Gen Z investors, has secured $10.4 million in April in its Series A funding round led by Play Ventures. Alinea Invest Co-Founders and Co-CEOs Anam Lakhani and Eve Halimi sit down in studio with Wealth's Allie Canal to talk about their experiences interning on Wall Street and their platform's tools in educating and guiding their peers in investing within their means. To watch more expert insights and analysis on the latest market action, check out more Wealth here. Inicia sesión para acceder a tu portafolio
Yahoo
32 minutes ago
- Yahoo
Anne Wojcicki's nonprofit reaches deal to acquire 23andMe
Beleaguered genetic testing company 23andMe announced Friday that it has reached an agreement to sell itself to a nonprofit led by the company's co-founder and former CEO Anne Wojcicki. Following a massive cyberattack in 2023 and a related lawsuit settlement, 23andMe filed for bankruptcy in March, with Wojcicki resigning in order to become an independent bidder for the company. But pharmaceutical company Regeneron was announced as the company's acquirer with a $256 million bid. According to the Wall Street Journal, Wojcicki's nonprofit TTAM Research Institute reopened the bidding process by making an unsolicited bid earlier this month, and Regeneron declined to beat TTAM's $305 million offer. In the announcement, TTAM (an acronym that corresponds with the first letters of Twenty-Three And Me) said that customers will be notified of the acquisition at least two business deals before the deal closes, and that the nonprofit will continue to abide by 23andMe's privacy policies allowing customers to delete their data and opt-out of research. It also said that it will establish a Consumer Privacy Advisory Board within 90 days of closing. 'I am thrilled that TTAM Research Institute will be able to continue the mission of 23andMe to help people access, understand and benefit from the human genome,' Wojcicki wrote on LinkedIn. 'We believe it is critical that individuals are empowered to have choice and transparency with respect to their genetic data and have the opportunity to continue to learn about their ancestry and health risks as they wish.' The acquisition still needs to be approved by the bankruptcy court, and it faces additional legal hurdles — a group of 28 state attorneys general led by New York's Letitia James filed a lawsuit this week objecting to the sale of the company's assets. '23andMe cannot auction millions of people's personal genetic information without their consent,' James said. A court-appointed privacy ombudsman also said it's not clear that 23andMe's privacy policies allow for the sale of its genetic data, according to the WSJ. Nor is it clear that 23andMe could regain consumer trust if the deal goes through. The company's interim CEO Joseph Selsavage recently told a House Oversight Committee that 15% of customers had asked to delete their data since the company filed for bankruptcy. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
