chrome

time-to-check-if-you-ran-any-of-these-33-malicious-chrome-extensions

Time to check if you ran any of these 33 malicious Chrome extensions

Biz & IT, Browsers, chrome, extensions, privacy, Security / /

Screenshot showing the phishing email sent to Cyberhaven extension developers. Credit: Amit Assaraf

A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.

Screenshot showing the Google permission request. Credit: Amit Assaraf

As word of the attack spread in the early hours of December 25, developers and researchers discovered that other extensions were targeted, in many cases successfully, by the same spear phishing campaign. John Tuckner, founder of Secure Annex, a browser extension analysis and management firm, said that as of Thursday afternoon, he knew of 19 other Chrome extensions that were similarly compromised. In every case, the attacker used spear phishing to push a new malicious version and custom, look-alike domains to issue payloads and receive authentication credentials. Collectively, the 20 extensions had 1.46 million downloads.

“For many I talk to, managing browser extensions can be a lower priority item in their security program,” Tuckner wrote in an email. “Folks know they can present a threat, but rarely are teams taking action on them. We’ve often seen in security [that] one or two incidents can cause a reevaluation of an organization’s security posture. Incidents like this often result in teams scrambling to find a way to gain visibility and understanding of impact to their organizations.”

The earliest compromise occurred in May 2024. Tuckner provided the following spreadsheet:

Name ID Version Patch Available Users Start End
VPNCity nnpnnpemnckcfdebeekibpiijlicmpom 2.0.1 FALSE 10,000 12/12/24 12/31/24
Parrot Talks kkodiihpgodmdankclfibbiphjkfdenh 1.16.2 TRUE 40,000 12/25/24 12/31/24
Uvoice oaikpkmjciadfpddlpjjdapglcihgdle 1.0.12 TRUE 40,000 12/26/24 12/31/24
Internxt VPN dpggmcodlahmljkhlmpgpdcffdaoccni 1.1.1 1.2.0 TRUE 10,000 12/25/24 12/29/24
Bookmark Favicon Changer acmfnomgphggonodopogfbmkneepfgnh 4.00 TRUE 40,000 12/25/24 12/31/24
Castorus mnhffkhmpnefgklngfmlndmkimimbphc 4.40 4.41 TRUE 50,000 12/26/24 12/27/24
Wayin AI cedgndijpacnfbdggppddacngjfdkaca 0.0.11 TRUE 40,000 12/19/24 12/31/24
Search Copilot AI Assistant for Chrome bbdnohkpnbkdkmnkddobeafboooinpla 1.0.1 TRUE 20,000 7/17/24 12/31/24
VidHelper – Video Downloader egmennebgadmncfjafcemlecimkepcle 2.2.7 TRUE 20,000 12/26/24 12/31/24
AI Assistant – ChatGPT and Gemini for Chrome bibjgkidgpfbblifamdlkdlhgihmfohh 0.1.3 FALSE 4,000 5/31/24 10/25/24
TinaMind – The GPT-4o-powered AI Assistant! befflofjcniongenjmbkgkoljhgliihe 2.13.0 2.14.0 TRUE 40,000 12/15/24 12/20/24
Bard AI chat pkgciiiancapdlpcbppfkmeaieppikkk 1.3.7 FALSE 100,000 9/5/24 10/22/24
Reader Mode llimhhconnjiflfimocjggfjdlmlhblm 1.5.7 FALSE 300,000 12/18/24 12/19/24
Primus (prev. PADO) oeiomhmbaapihbilkfkhmlajkeegnjhe 3.18.0 3.20.0 TRUE 40,000 12/18/24 12/25/24
Cyberhaven security extension V3 pajkjnmeojmbapicmbpliphjmcekeaac 24.10.4 24.10.5 TRUE 400,000 12/24/24 12/26/24
GraphQL Network Inspector ndlbedplllcgconngcnfmkadhokfaaln 2.22.6 2.22.7 TRUE 80,000 12/29/24 12/30/24
GPT 4 Summary with OpenAI epdjhgbipjpbbhoccdeipghoihibnfja 1.4 FALSE 10,000 5/31/24 9/29/24
Vidnoz Flex – Video recorder & Video share cplhlgabfijoiabgkigdafklbhhdkahj 1.0.161 FALSE 6,000 12/25/24 12/29/24
YesCaptcha assistant jiofmdifioeejeilfkpegipdjiopiekl 1.1.61 TRUE 200,000 12/29/24 12/31/24
Proxy SwitchyOmega (V3) hihblcmlaaademjlakdpicchbjnnnkbo 3.0.2 TRUE 10,000 12/30/24 12/31/24

But wait, there’s more

One of the compromised extensions is called Reader Mode. Further analysis showed it had been compromised not just in the campaign targeting the other 19 extensions but in a separate campaign that started no later than April 2023. Tuckner said the source of the compromise appears to be a code library developers can use to monetize their extensions. The code library collects details about each web visit a browser makes. In exchange for incorporating the library into the extensions, developers receive a commission from the library creator.

Time to check if you ran any of these 33 malicious Chrome extensions Read More »

doj-proposes-breakup-and-other-big-changes-to-end-google-search-monopoly

DOJ proposes breakup and other big changes to end Google search monopoly

android, Antitrust law, chrome, duckduckgo, Google, google search monopoly, microsoft, mozilla, online search industry, Policy, search engines, us department of justice / /

Google called the DOJ extending search remedies to AI “radical,” an “overreach.”

The US Department of Justice finally proposed sweeping remedies to destroy Google’s search monopoly late yesterday, and, predictably, Google is not loving any of it.

On top of predictable asks—like potentially requiring Google to share search data with rivals, restricting distribution agreements with browsers like Firefox and device makers like Apple, and breaking off Chrome or Android—the DOJ proposed remedies to keep Google from blocking competition in “the evolving search industry.” And those extra steps threaten Google’s stake in the nascent AI search world.

This is only the first step in the remedies stage of litigation, but Google is already showing resistance to both expected and unexpected remedies that the DOJ proposed. In a blog from Google’s vice president of regulatory affairs, Lee-Anne Mulholland, the company accused the DOJ of “overreach,” suggesting that proposed remedies are “radical” and “go far beyond the specific legal issues in this case.”

From here, discovery will proceed as the DOJ makes a case to broaden the scope of proposed remedies and Google raises its defense to keep remedies as narrowly tailored as possible. After that phase concludes, the DOJ will propose its final judgement on remedies in November, which must be fully revised by March 2025 for the court to then order remedies.

Even then, however, the trial is unlikely to conclude, as Google plans to appeal. In August, Mozilla’s spokesperson told Ars that the trial could drag on for years before any remedies are put in place.

In the meantime, Google plans to continue focusing on building out its search empire, Google’s president of global affairs, Kent Walker, said in August. This presumably includes innovations in AI search that the DOJ fears may further entrench Google’s dominant position.

Scrutiny of Google’s every move in the AI industry will likely only be heightened in that period. As Google has already begun seeking exclusive AI deals with companies like Apple, it risks appearing to engage in the same kinds of anti-competitive behavior in AI markets as the court has already condemned. And giving that impression could not only impact remedies ordered by the court, but also potentially weaken Google’s chances of winning on appeal, Lee Hepner, an antitrust attorney monitoring the trial for the American Economic Liberties Project, told Ars.

Ending Google’s monopoly starts with default deals

In the DOJ’s proposed remedy framework, the DOJ says that there’s still so much more to consider before landing on final remedies that it reserves “the right to add or remove potential proposed remedies.”

Through discovery, DOJ said that it plans to continue engaging experts and stakeholders “to learn not just about the relevant markets themselves but also about adjacent markets as well as remedies from other jurisdictions that could affect or inform the optimal remedies in this action.

“To be effective, these remedies… must include some degree of flexibility because market developments are not always easy to predict and the mechanisms and incentives for circumvention are endless,” the DOJ said.

Ultimately, the DOJ said that any remedies sought should be “mutually reinforcing” and work to “unfetter” Google’s current monopoly in general search services and general text advertising markets. That effort would include removing barriers to competition—like distribution and revenue-sharing agreements—as well as denying Google monopoly profits and preventing Google from monopolizing “related markets in the future,” the DOJ said.

Any effort to undo Google’s monopoly starts with ending Google’s control over “the most popular distribution channels,” the DOJ said. At one point during the trial, for example, a witness accidentally blurted out that Apple gets a 36 percent cut from its Safari deal with Google. Lucrative default deals like that leave rivals with “little-to-no incentive to compete for users,” the DOJ said.

“Fully remedying these harms requires not only ending Google’s control of distribution today, but also ensuring Google cannot control the distribution of tomorrow,” the DOJ warned.

To dislodge this key peg propping up Google’s search monopoly, some options include ending Google’s default deals altogether, which would “limit or prohibit default agreements, preinstallation agreements, and other revenue-sharing arrangements related to search and search-related products, potentially with or without the use of a choice screen.”

A breakup could be necessary

Behavior and structural remedies may also be needed, the DOJ proposed, to “prevent Google from using products such as Chrome, Play, and Android to advantage Google search and Google search-related products and features—including emerging search access points and features, such as artificial intelligence—over rivals or new entrants.” That could mean spinning off the Chrome browser or restricting Google from preinstalling its search engine as the default in Chrome or on Android devices.

In her blog, Mulholland conceded that “this case is about a set of search distribution contracts” but claimed that “overbroad restrictions on distribution contracts” would create friction for Google users and “reduce revenue for companies like Mozilla” as well as Android smart phone makers.

Asked to comment on supposedly feared revenue losses, a Mozilla spokesperson told Ars, “[We are] closely monitoring the legal process and considering its potential impact on Mozilla and how we can positively influence the next steps. Mozilla has always championed competition and choice online, particularly in search. Firefox continues to offer a range of search options, and we remain committed to serving our users’ preferences while fostering a competitive market.”

Mulholland also warned that “splitting off” Chrome or Android from Google’s search business “would break them” and potentially “raise the cost of devices,” because “few companies would have the ability or incentive to keep them open source, or to invest in them at the same level we do.”

“We’ve invested billions of dollars in Chrome and Android,” Mulholland wrote. “Chrome is a secure, fast, and free browser and its open-source code provides the backbone for numerous competing browsers. Android is a secure, innovative, and free open-source operating system that has enabled vast choice in the smartphone market, helping to keep the cost of phones low for billions of people.”

Google has long argued that its investment in open source Chrome and Android projects benefits developers whose businesses and customers would be harmed if those efforts lost critical funding.

“Features like Chrome’s Safe Browsing, Android’s security features, and Play Protect benefit from information and signals from a range of Google products and our threat-detection expertise,” Mulholland wrote. “Severing Chrome and Android would jeopardize security and make patching security bugs harder.”

Hepner told Ars that Android could potentially thrive if broken off from Google, suggesting that through discovery, it will become clearer what would happen if either Google product was severed from the company.

“I think others would agree that Android is a company that is capable [being] a standalone entity,” Hepner said. “It could be independently monetized through relationships with device manufacturers, web browsers, alternative Play Stores that are not under Google’s umbrella. And that if that were the case, what you would see is that Android and the operating system marketplace begins to evolve to meet the needs and demands of innovative products that are not being created just by Google. And you’ll see that dictating the evolution of the marketplace and fundamentally the flow of information across our society.”

Mulholland also claimed that sharing search data with rivals risked exposing users to privacy and security risks, but the DOJ vowed to be “mindful of potential user privacy concerns in the context of data sharing” while distinguishing “genuine privacy concerns” from “pretextual arguments” potentially misleading the court regarding alleged risks.

One possible way around privacy concerns, the DOJ suggested, would be prohibiting Google from collecting the kind of sensitive data that cannot be shared with rivals.

Finally, to stop Google from charging supra-competitive prices for ads, the DOJ is “evaluating remedies” like licensing or syndicating Google’s ad feed “independent of its search results.” Further, the DOJ may require more transparency, forcing Google to provide detailed “search query reports” featuring currently obscured “information related to its search text ads auction and ad monetization.”

Stakeholders were divided on whether the DOJ’s initial framework is appropriate.

Matt Schruers, the CEO of a trade association called the Computer & Communications Industry Association (which represents Big Tech companies like Google), criticized the DOJ’s “hodgepodge of structural and behavioral remedies” as going “far beyond” what’s needed to address harms.

“Any remedy should be narrowly tailored to address specific conduct, which in this case was a set of search distribution contracts,” Schruers said. “Instead, the proposed DOJ remedies would reshape numerous industries and products, which would harm consumers and innovation in these dynamic markets.”

But a senior vice president of public affairs for Google search rival DuckDuckGo, Kamyl Bazbaz, praised the DOJ’s framework as being “anchored to the court’s ruling” and appropriately broad.

“This proposal smartly takes aim at breaking Google’s illegal hold on the general search market now and ushers in a new era of enduring competition moving forward,” Bazbaz said. “The framework understands that no single remedy can undo Google’s illegal monopoly, it will require a range of behavioral and structural remedies to free the market.”

Bazbaz expects that “Google is going to use every resource at its disposal to discredit this proposal,” suggesting that “should be taken as a sign this framework can create real competition.”

AI deals could weaken Google’s appeal, expert says

Google appears particularly disturbed by the DOJ’s insistence that remedies must be forward-looking and prevent Google from leveraging its existing monopoly power “to feed artificial intelligence features.”

As Google sees it, the DOJ’s attempt to attack Google’s AI business “comes at a time when competition in how people find information is blooming, with all sorts of new entrants emerging and new technologies like AI transforming the industry.”

But the DOJ has warned that Google’s search monopoly potentially feeding AI features “is an emerging barrier to competition and risks further entrenching Google’s dominance.”

The DOJ has apparently been weighing some of the biggest complaints about Google’s AI training when mulling remedies. That includes listening to frustrated site owners who can’t afford to block Google from scraping data for AI training because the same exact crawler indexes their content in Google search results. Those site owners have “little choice” but to allow AI training or else sacrifice traffic from Google search, The Seattle Times reported.

Remedy options may come with consequences

Remedies in the search trial might change that. In their proposal, the DOJ said it’s considering remedies that would “prohibit Google from using contracts or other practices to undermine rivals’ access to web content and level the playing field by requiring Google to allow websites crawled for Google search to opt out of training or appearing in any Google-owned artificial-intelligence product or feature on Google search,” such as Google’s controversial AI summaries.

Hepner told Ars that “it’s not surprising at all” that remedies cover both search and AI because “at the core of Google’s monopoly power is its enormous scale and access to data.”

“The Justice Department is clearly thinking creatively,” Hepner said, noting that “the ability for content creators to opt out of having their material and work product used to train Google’s AI systems is an interesting approach to depriving Google of its immense scale.”

The DOJ is also eyeing controls on Google’s use of scale to power AI advertising technologies like Performance Max to end Google’s supracompetitive pricing on text ads for good.

It’s critical to think about the future, the DOJ argued in its framework, because “Google’s anticompetitive conduct resulted in interlocking and pernicious harms that present unprecedented complexities in a highly evolving set of markets”—not just in the markets where Google holds monopoly powers.

Google disagrees with this alleged “government overreach.”

“Hampering Google’s AI tools risks holding back American innovation at a critical moment,” Mulholland warned, claiming that AI is still new and “competition globally is fierce.”

“There are enormous risks to the government putting its thumb on the scale of this vital industry—skewing investment, distorting incentives, hobbling emerging business models—all at precisely the moment that we need to encourage investment, new business models, and American technological leadership,” Mulholland wrote.

Hepner told Ars that he thinks that the DOJ’s proposed remedies framework actually “meets the moment and matches the imperative to deprive Google of its monopoly hold on the search market, on search advertising, and potentially on future related markets.”

To ensure compliance with any remedies pursued, the DOJ also recommended “protections against circumvention and retaliation, including through novel paths to preserving dominance in the monopolized markets.”

That means Google might be required to “finance and report to a Court-appointed technical committee” charged with monitoring any Google missteps. The company may also have to agree to retain more records for longer—including chat messages that the company has been heavily criticized for deleting. And through this compliance monitoring, Google may also be prohibited from owning a large stake in any rivals.

If Google were ever found willfully non-compliant, the DOJ is considering a “range of provisions,” including risking more extreme structural or behavioral remedies or enduring extensions of compliance periods.

As the remedies stage continues through the spring, followed by Google’s prompt appeal, Hepner suggested that the DOJ could fight to start imposing remedies before the appeal concludes. Likely Google would just as strongly fight for any remedies to be delayed.

While the trial drags on, Hepner noted that Google already appears to be trying to strike another default deal with Apple that appears pretty similar to the controversial distribution deals at the heart of the search monopoly trial. In March, Apple started mulling using Google’s Gemini to exclusively power new AI features for the iPhone.

“This is basically the exact same anticompetitive behavior that they were found liable for,” Hepner told Ars, suggesting this could “weaken” Apple’s defense both against the DOJ’s broad framework of proposed remedies and during the appeal.

“If Google is actually engaging in the same anti-competitive conduct and artificial intelligence markets that they were found liable for in the search market, the court’s not going to look kindly on that relative to an appeal,” Hepner said.

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

DOJ proposes breakup and other big changes to end Google search monopoly Read More »

all-the-possible-ways-to-destroy-google’s-monopoly-in-search

All the possible ways to destroy Google’s monopoly in search

android, antitrust, Antitrust law, Apple, Bing, chrome, department of justice, duckduckgo, Features, Google, google monopoly, microsoft, mozilla, online search, online search industry, Policy, samsung / /
All the possible ways to destroy Google’s monopoly in search

Aurich Lawson

After US District Judge Amit Mehta ruled that Google has a monopoly in two markets—general search services and general text advertising—everybody is wondering how Google might be forced to change its search business.

Specifically, the judge ruled that Google’s exclusive deals with browser and device developers secured Google’s monopoly. These so-called default agreements funneled the majority of online searches to Google search engine result pages (SERPs), where results could be found among text ads that have long generated the bulk of Google’s revenue.

At trial, Mehta’s ruling noted, it was estimated that if Google lost its most important default deal with Apple, Google “would lose around 65 percent of its revenue, even assuming that it could retain some users without the Safari default.”

Experts told Ars that disrupting these default deals is the most obvious remedy that the US Department of Justice will seek to restore competition in online search. Other remedies that may be sought range from least painful for Google (mandating choice screens in browsers and devices) to most painful (requiring Google to divest from either Chrome or Android, where it was found to be self-preferencing).

But the remedies phase of litigation may have to wait until after Google’s appeal, which experts said could take years to litigate before any remedies are ever proposed in court. Whether Google could be successful in appealing the ruling is currently being debated, with anti-monopoly advocates backing Mehta’s ruling as “rock solid” and critics suggesting that the ruling’s fresh takes on antitrust law are open to attack.

Google declined Ars’ request to comment on appropriate remedies or its plan to appeal.

Previously, Google’s president of global affairs, Kent Walker, confirmed in a statement that the tech giant would be appealing the ruling because the court found that “Google is ‘the industry’s highest quality search engine, which has earned Google the trust of hundreds of millions of daily users,’ that Google ‘has long been the best search engine, particularly on mobile devices,’ ‘has continued to innovate in search,’ and that ‘Apple and Mozilla occasionally assess Google’s search quality relative to its rivals and find Google’s to be superior.'”

“Given this, and that people are increasingly looking for information in more and more ways, we plan to appeal,” Walker said. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”

But Mehta found that Google was wielding its outsize influence in the search industry to block rivals from competing by locking browsers and devices into agreements ensuring that all searches went to Google SERPs. None of the pro-competitive benefits that Google claimed justified the exclusive deals persuaded Mehta, who ruled that “importantly,” Google “exercised its monopoly power by charging supra-competitive prices for general search text ads”—and thus earned “monopoly profits.”

While experts think the appeal process will delay litigation on remedies, Google seems to think that Mehta may rule on potential remedies before Google can proceed with its appeal. Walker told Google employees that a ruling on remedies may arrive in the next few months, The Wall Street Journal reported. Ars will continue monitoring for updates on this timeline.

As the DOJ’s case against Google’s search business has dragged on, reports have long suggested that a loss for Google could change the way that nearly the entire world searches the Internet.

Adam Epstein—the president and co-CEO of adMarketplace, which bills itself as “the largest consumer search technology company outside of Google and Bing”—told Ars that innovations in search could result in a broader landscape of more dynamic search experiences that draw from sources beyond Google and allow searchers to skip Google’s SERPs entirely. If that happens, the coming years could make Google’s ubiquitous search experience today a distant memory.

“By the end of this decade, going to a search engine results page will seem quaint,” Epstein predicted. “The court’s decision sets the stage for a remedy that will dramatically improve the search experience for everyone connected to the web. The era of innovation in search is just around the corner.”

The DOJ has not meaningfully discussed potential remedies it will seek, but Jonathan Kanter, assistant attorney general of the Justice Department’s antitrust division, celebrated the ruling.

“This landmark decision holds Google accountable,” Kanter said. “It paves the path for innovation for generations to come and protects access to information for all Americans.”

All the possible ways to destroy Google’s monopoly in search Read More »

chrome’s-manifest-v3,-and-its-changes-for-ad-blocking,-are-coming-real-soon

Chrome’s Manifest V3, and its changes for ad blocking, are coming real soon

ad blockers, browser extensions, chrome, chrome manifest v3, Google, google chrome, google chrome extensions, manifest v3, Tech, ublock lite, ublock origin / /

Chrome Manifest V3 —

Chrome is warning users that their extension makers need to update soon.

Chrome logo, squared off in the style of a popular ad-blocking logo

Ron Amadeo

Google Chrome’s long, long project to implement a new browser extension platform is seemingly going to happen, for real, after six years of cautious movement.

One of the first ways people are seeing this is if they use uBlock Origin, a popular ad-blocking extension, as noted by Bleeping Computer. Recently, Chrome users have seen warnings pop up that “This extension may soon no longer be supported,” with links asking the user to “Remove or replace it with similar extensions” from Chrome’s Web Store. You might see a similar warning on some extensions if you head to Chrome’s Extensions page (chrome://extensions).

What’s happening is Chrome preparing to make Manifest V3 required for extensions that want to run on its platform. First announced in 2018, the last word on Manifest V3 was that V2 extensions would start being nudged out in early June on the Beta, Dev, and Canary update channels. Users will be able to manually re-enable V2 extensions “for a short time,” Google has said, “but over time, this toggle will go away as well.” The shift for enterprise Chrome deployments is expected to be put off until June 2025.

Google has said that its new extension platform was built for “improving the security, privacy, performance, and trustworthiness of the extension ecosystem.” The Electronic Frontier Foundation (EFF) disagrees most strongly with the security aspect, and Firefox-maker Mozilla, while intending to support V3 extensions for cross-browser compatibility, has no plans to cut off support for V2 extensions, signaling that it doesn’t see the big improvement.

Perhaps the biggest point of friction is with ad blockers. Google has said it “isn’t killing ad blockers” but “making them safer,” in an explanatory blog post. Google noted in November 2023 that Manifest V3 allowed for a greater number, and more dynamic updating, of content-blocking rules in extensions, specifically ad blockers.

But one of the biggest changes is in disallowing “remotely hosted code,” which includes the filtering lists that ad blockers keep regularly updated. Ad blockers that want to update their filtering lists, perhaps in response to pivots by platforms like Google’s YouTube and ad servers, will have to do so through the Chrome Web Store’s review process. Ad-blocking coders see it as an intentional gatekeeping and slowing.

Google said before the initial May push toward V3 that 85 percent of actively maintained extensions in its store had Manifest V3 versions ready. Raymond Hill wrote on uBlock Origin’s GitHub page Friday that there will not be a full version of uBlock Origin that works with Manifest V3, but instead a “Lite” version that is “a pared-down version of uBO with a best effort at converting filter lists used by uBO into a Manifest V3-compliant approach.”

Chrome’s Manifest V3, and its changes for ad blocking, are coming real soon Read More »

chrome-will-now-prompt-some-users-to-send-passwords-for-suspicious-files

Chrome will now prompt some users to send passwords for suspicious files

Biz & IT, chrome, Google, passwords, safe browsing, Security / /

SAFE BROWSING —

Google says passwords and files will be deleted shortly after they are deep-scanned.

Chrome will now prompt some users to send passwords for suspicious files

Google is redesigning Chrome malware detections to include password-protected executable files that users can upload for deep scanning, a change the browser maker says will allow it to detect more malicious threats.

Google has long allowed users to switch on the Enhanced Mode of its Safe Browsing, a Chrome feature that warns users when they’re downloading a file that’s believed to be unsafe, either because of suspicious characteristics or because it’s in a list of known malware. With Enhanced Mode turned on, Google will prompt users to upload suspicious files that aren’t allowed or blocked by its detection engine. Under the new changes, Google will prompt these users to provide any password needed to open the file.

Beware of password-protected archives

In a post published Wednesday, Jasika Bawa, Lily Chen, and Daniel Rubery of the Chrome Security team wrote:

Not all deep scans can be conducted automatically. A current trend in cookie theft malware distribution is packaging malicious software in an encrypted archive—a .zip, .7z, or .rar file, protected by a password—which hides file contents from Safe Browsing and other antivirus detection scans. In order to combat this evasion technique, we have introduced two protection mechanisms depending on the mode of Safe Browsing selected by the user in Chrome.

Attackers often make the passwords to encrypted archives available in places like the page from which the file was downloaded, or in the download file name. For Enhanced Protection users, downloads of suspicious encrypted archives will now prompt the user to enter the file’s password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed. Uploaded files and file passwords are deleted a short time after they’re scanned, and all collected data is only used by Safe Browsing to provide better download protections.

Enter a file password to send an encrypted file for a malware scan

Enlarge / Enter a file password to send an encrypted file for a malware scan

Google

For those who use Standard Protection mode which is the default in Chrome, we still wanted to be able to provide some level of protection. In Standard Protection mode, downloading a suspicious encrypted archive will also trigger a prompt to enter the file’s password, but in this case, both the file and the password stay on the local device and only the metadata of the archive contents are checked with Safe Browsing. As such, in this mode, users are still protected as long as Safe Browsing had previously seen and categorized the malware.

Sending Google an executable casually downloaded from a site advertising a screensaver or media player is likely to generate little if any hesitancy. For more sensitive files such as a password-protected work archive, however, there is likely to be more pushback. Despite the assurances the file and password will be deleted promptly, things sometimes go wrong and aren’t discovered for months or years, if at all. People using Chrome with Enhanced Mode turned on should exercise caution.

A second change Google is making to Safe Browsing is a two-tiered notification system when users are downloading files. They are:

  1. Suspicious files, meaning those Google’s file-vetting engine have given a lower-confidence verdict, with unknown risk of user harm
  2. Dangerous files, or those with a high confidence verdict that they pose a high risk of user harm

The new tiers are highlighted by iconography, color, and text in an attempt to make it easier for users to easily distinguish between the differing levels of risk. “Overall, these improvements in clarity and consistency have resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads,” the Google authors wrote.

Previously, Safe Browsing notifications looked like this:

Differentiation between suspicious and dangerous warnings.

Enlarge / Differentiation between suspicious and dangerous warnings.

Google

Over the past year, Chrome hasn’t budged on its continued support of third-party cookies, a decision that allows companies large and small to track users of that browser as they navigate from website to website to website. Google’s alternative to tracking cookies, known as the Privacy Sandbox, has also received low marks from privacy advocates because it tracks user interests based on their browser usage.

That said, Chrome has long been a leader in introducing protections, such as a security sandbox that cordons off risky code so it can’t mingle with sensitive data and operating system functions. Those who stick with Chrome should at a minimum keep Standard Mode Safe Browsing on. Users with the experience required to judiciously choose which files to send to Google should consider turning on Enhanced Mode.

Chrome will now prompt some users to send passwords for suspicious files Read More »

google-halts-its-4-plus-year-plan-to-turn-off-tracking-cookies-by-default-in-chrome

Google halts its 4-plus-year plan to turn off tracking cookies by default in Chrome

Apple, chrome, Firefox, Floc, Google, google chrome, mozilla, privacy sandbox, Tech, third party cookies, tracking cookies / /

Filling, but not nutritious —

A brief history of Google’s ideas, proposals, and APIs for cookie replacements.

A woman in a white knit sweater, holding a Linzer cookie (with jam inside a heart cut-out) in her crossed palms.

Enlarge / Google, like most of us, has a hard time letting go of cookies. Most of us just haven’t created a complex set of APIs and brokered deals across regulation and industry to hold onto the essential essence of cookies.

Getty Images

Google has an announcement today: It’s not going to do something it has thought about, and tinkered with, for quite some time.

Most people who just use the Chrome browser, rather than develop for it or try to serve ads to it, are not going to know what “A new path for Privacy Sandbox on the web” could possibly mean. The very short version is that Google had a “path,” first announced in January 2020, to turn off third-party (i.e., tracking) cookies in the most-used browser on Earth, bringing it in line with Safari, Firefox, and many other browsers. Google has proposed several alternatives to the cookies that follow you from page to page, constantly pitching you on that space heater you looked at three days ago. Each of these alternatives has met varying amounts of resistance from privacy and open web advocates, trade regulators, and the advertising industry.

So rather than turn off third-party cookies by default and implement new solutions inside the Privacy Sandbox, Chrome will “introduce a new experience” that lets users choose their tracking preferences when they update or first use Chrome. Google will also keep working on its Privacy Sandbox APIs but in a way that recognizes the “impact on publishers, advertisers, and everyone involved in online advertising.” Google also did not fail to mention it was “discussing this new path with regulators.”

Why today? What does it really mean? Let’s journey through more than four and a half years of Google’s moves to replace third-party cookies, without deeply endangering its standing as the world’s largest advertising provider.

2017–2022: FLoC or “What if machines tracked you, not cookies?”

Google’s big moves toward a standstill likely started at Apple headquarters. Its operating system updates in the fall of 2017 implemented a 24-hour time limit on ad-targeting cookies in Safari, the default browser on Macs and iOS devices. A “Coalition of Major Advertising Trade Associations” issued a sternly worded letter opposing this change, stating it would “drive a wedge between brands and their customers” and make advertising “more generic and less timely and useful.”

By the summer of 2019, Firefox was ready to simply block tracking cookies by default. Google, which makes the vast majority of its money through online advertising, made a different, broader argument against dropping third-party cookies. To paraphrase: Trackers will track, and if we don’t give them a proper way to do it, they’ll do it the dirty way by fingerprinting browsers based on version numbers, fonts, screen size, and other identifiers. Google said it had some machine learning that could figure out when it was good to share your browsing habits. For example:

New technologies like Federated Learning show that it’s possible for your browser to avoid revealing that you are a member of a group that likes Beyoncé and sweater vests until it can be sure that group contains thousands of other people.

In January 2020, Google shifted its argument from “along with” to “instead of” third-party cookies. Chrome Engineering Director Justin Schuh wrote, “Building a more private Web: A path towards making third party cookies obsolete,” suggesting that broad support for Chrome’s privacy sandbox tools would allow for dropping third-party cookies entirely. Privacy advocate Ben Adida described the move as “delivering teeth” and “a big deal.” Feedback from the W3C and other parties, Schuh wrote at that time, “gives us confidence that solutions in this space can work.”

Google's explanatory graphic for FLoC, or Federated Learning of Cohorts.

Google’s explanatory graphic for FLoC, or Federated Learning of Cohorts.

Google

As Google developed its replacement for third-party cookies, the path grew trickier and the space more perilous. The Electronic Frontier Foundation described Google’s FLoC, or the “Federated Learning of Cohorts” that would let Chrome machine-learn your profile for sites and ads, as “A Terrible Idea.” The EFF was joined by Mozilla, Apple, WordPress, DuckDuckGo, and lots of browsers based on Chrome’s core Chromium code in being either opposed or non-committal to FLoC. Google pushed back testing FLOC until late 2022 and third-party cookie removal (and thereby FLoC implementation) until mid-2023.

By early 2022, FLoC didn’t have a path forward. Google pivoted to a Topics API, which would give users a bit more control over which topics (“Rock Music,” “Auto & Vehicles”) would be transmitted to potential advertisers. It would certainly improve over third-party cookies, which are largely inscrutable in naming and offer the user only one privacy policy: block them, or delete them all and lose lots of logins.

Google halts its 4-plus-year plan to turn off tracking cookies by default in Chrome Read More »

google-patches-its-fifth-zero-day-vulnerability-of-the-year-in-chrome

Google patches its fifth zero-day vulnerability of the year in Chrome

Biz & IT, chrome, Google, Security, Uncategorized, vulnerability, zero-day / /

MEMORY WANTS TO BE FREE —

Exploit code for critical “use-after-free” bug is circulating in the wild.

Extreme close-up photograph of finger above Chrome icon on smartphone.

Google has updated its Chrome browser to patch a high-severity zero-day vulnerability that allows attackers to execute malicious code on end user devices. The fix marks the fifth time this year the company has updated the browser to protect users from an existing malicious exploit.

The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.

On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.

Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year. Three of the previous ones were used by researchers in the Pwn-to-Own exploit contest. The remaining one was for a vulnerability for which an exploit was available in the wild.

Chrome automatically updates when new releases become available. Users can force the update or confirm they’re running the latest version by going to Settings > About Chrome and checking the version and, if needed, clicking on the Relaunch button.

Google patches its fifth zero-day vulnerability of the year in Chrome Read More »

microsoft-edge-is-apparently-usurping-chrome-on-people’s-pcs

Microsoft Edge is apparently usurping Chrome on people’s PCs

chrome, Microsoft Edge, Tech / /

invasion of the browser snatchers —

An apparent bug that plays into criticisms of how Microsoft pushes Edge.

Microsoft Edge is apparently usurping Chrome on people’s PCs

If you run the Chrome browser in Windows 10 or 11 and you’ve suddenly discovered that you’re running Microsoft Edge instead, you’re not alone. The Verge’s Tom Warren reports that he and multiple other users on social media and Microsoft’s support forums have suddenly found their Chrome browsing sessions mysteriously replicated in Edge.

Without an official comment from Microsoft, Warren posits that the tab-snatching happened because of a bug or an inadvertently clicked-through dialog box that triggers a feature in Edge that’s meant to make it easier to (intentionally) switch browsers. The setting, which can be accessed by typing edge://settings/profiles/importBrowsingData into the browser’s address bar, offers to import recent browsing data from Chrome every time you launch Edge, as opposed to the one-time data import it offers for Firefox.

The setting in question, as seen on a Windows 11 23H2 system running Edge 122. It will offer to continuously import data from Chrome, but not from other browsers. Edge will offer a one-time data import from Firefox, but most other browsers (like Opera) don't show up here.

Enlarge / The setting in question, as seen on a Windows 11 23H2 system running Edge 122. It will offer to continuously import data from Chrome, but not from other browsers. Edge will offer a one-time data import from Firefox, but most other browsers (like Opera) don’t show up here.

Andrew Cunningham

Assuming it is a bug, this data-importing issue is hard to distinguish from some of Microsoft’s actual officially sanctioned, easy-to-reproduce tactics for pushing Edge. I encountered two of these while installing Chrome on a PC for this piece—one when I navigated to the Chrome download page and another across the top of Edge’s Settings pages after I had set another browser as my default.

Microsoft has also used system notifications, special Edge-specific pop-up messages, and full-screen post-update messages about “recommended browser settings” to push Windows users into running Edge and using Bing. (I personally would love it if PCs I’ve been using for months or years would stop asking me to “finish setting up [my] device.”)

Edge is based on the same Chromium browsing engine as Chrome, and most users probably wouldn’t notice much of a difference in how most pages render in either browser. But Edge is centered on Microsoft’s products and services, starting with a Microsoft account but also extending to coupon codes and other shopping notifications, the Microsoft 365 app suite, and generative AI tools like Image Designer and the Copilot chatbot.

Microsoft has gotten more aggressive about how it pushes everything from Microsoft account sign-in to Microsoft 365 and Game Pass subscriptions in recent years, something that has made a “clean” Windows install feel much less clean than it used to. Whether this Edge data-import thing is a bug, it’s telling that it’s not immediately obvious whether it’s a bug or something that Microsoft did intentionally.

Microsoft Edge is apparently usurping Chrome on people’s PCs Read More »

the-year-of-windows-on-arm?-google-launches-official-chrome-builds.

The year of Windows on Arm? Google launches official Chrome builds.

chrome, Google, google chrome, Tech, windows on arm / /

Armed and ready —

Chrome for Windows-on-Arm should hit stable in time for Qualcomm’s big launch.

The Chrome nightly download page with an important section highlighted.

Enlarge / The Chrome nightly download page with an important section highlighted.

Ron Amadeo

Chrome is landing on a new platform: Windows on Arm. We don’t have an official announcement yet, but X user Pedro Justo was the first to spot that the Chrome Canary page now quietly hosts binaries for “Windows 11 Arm.”

Chrome has run on Windows for a long time, but that’s the x86 version. It also supports various Arm OSes, like Android, Chrome OS, and Mac OS. There’s also Chromium, the open source codebase on Chrome, which has run on Windows Arm for a while now, thanks mostly to Microsoft’s Edge browser being a Chromium derivative. The official “Google Chrome” has never been supported on Windows on Arm until now, though.

Windows may be a huge platform, but “Windows on Arm” is not. Apple’s switch to the Arm architecture has been a battery life revelation for laptops, and in the wake of that, interest in Windows on Arm has picked up. A big inflection point will be the release of laptops with the Qualcomm Snapdragon X Elite SoC in mid-2024. Assuming Qualcomm’s pre-launch hype pans out, this will be the first Arm on Windows chip to be in the same class as Apple Silicon. Previously, Windows on Arm could only run Chrome as an x86 app via a slow translation layer, so getting the world’s most popular browser to a native quality level in time for launch will be a big deal for Qualcomm.

The “Canary” channel is Chrome’s nightly builds channel, so fresh Arm builds should be arriving at a rapid pace. Usually, Canary features take about two months to hit the stable channels, which would be plenty of time for the new Snapdragon chip. It’s hard to know if Google will stick to that timeline, as this is a whole new architecture/OS combo. But again, most of the work has been ongoing for years now. The next steps would be rolling out Windows Arm dev and beta channels soon.

Listing image by Photo illustration by Aurich Lawson

The year of Windows on Arm? Google launches official Chrome builds. Read More »

google-agrees-to-settle-chrome-incognito-mode-class-action-lawsuit

Google agrees to settle Chrome incognito mode class action lawsuit

chrome, class action, Google, incognito mode, lawsuit, Policy, privacy / /

Not as private as you thought —

2020 lawsuit accused Google of tracking incognito activity, tying it to users’ profiles.

Google agrees to settle Chrome incognito mode class action lawsuit

Getty Images

Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over its Chrome browser’s Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify [users’] browsing data in real time” even when they had opened a new Incognito window.

The lawsuit, filed by Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen, accused Google of violating wiretap laws. It also alleged that sites using Google Analytics or Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP address. The plaintiffs also accused Google of taking Chrome users’ private browsing activity and then associating it with their already-existing user profiles.

Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on Chrome’s incognito mode. That warning tells users that their activity “might still be visible to websites you visit.”

Judge Yvonne Gonzalez Rogers rejected Google’s bid for summary judgement in August, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

“Google’s motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode,” Rogers ruled. “Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection.”

According to the notice filed on Tuesday, Google and the plaintiffs have agreed to terms that will result in the litigation being dismissed. The agreement will be presented to the court by the end of January, with the court giving final approval by the end of February.

Google agrees to settle Chrome incognito mode class action lawsuit Read More »