Mitchel  Carter

Mitchel Carter

1603036800

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Google’s latest version of its browser, Chrome 86, is now being rolled out with 35 security fixes – including a critical bug – and a feature that checks if users have any compromised passwords.

As of Tuesday, Chrome 86 is being promoted to the stable channel for Windows, Mac and Linux and will roll out over the coming days. The versions of the browser for Android and iOS were also released Tuesday, and will become available on Google Play and the App Store this week.

Included in the newest browser version is a critical flaw (CVE-2020-15967) existing in Chrome’s payments component. The flaw, reported by Man Yue Mo of GitHub Security Lab, is a use-after-free vulnerability. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.

Use-after-free bugs have plagued Google Chrome in the past year. In fact, all seven high-severity vulnerabilities fixed by Google in Chrome 86 were use-after-free flaws – ranging from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components (WebRTC is a protocol for rich-media web communication).

Further details of the bugs are not yet available, as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s Tuesday post.

Password Check

The Android and iOS versions of Chrome 86 will also come with a new security feature, which will send a copy of user’s usernames and passwords using a “special form of encryption.” That then lets Google check them against list of passwords known to be compromised.

“Passwords are often the first line of defense for our digital lives,” Abdel Karim Mardini, senior product manager with Chrome, said in a Tuesday post. “Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.”

At the back end, when Google detects a username and password exposed by a data breach, it stores a strongly hashed and encrypted copy of the data. Then, when Chrome users log into a website, the feature sends a strongly hashed and encrypted version of their username and password to Google – meaning the company never derives usernames or passwords from the encrypted copy, it said.

#vulnerabilities #web security #android #chrome #chrome 86 #compromised password #credential stuffing #cve-2020-15967 #cve-2020-15969 #cve-2020-15971 #cve-2020-15972 #cve-2020-15991 #encryption #google #google payments #https #ios #linux #mac #password check #patches #safety check #security fix #security improvements #windows

What is GEEK

Buddha Community

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables
Mitchel  Carter

Mitchel Carter

1603036800

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Google’s latest version of its browser, Chrome 86, is now being rolled out with 35 security fixes – including a critical bug – and a feature that checks if users have any compromised passwords.

As of Tuesday, Chrome 86 is being promoted to the stable channel for Windows, Mac and Linux and will roll out over the coming days. The versions of the browser for Android and iOS were also released Tuesday, and will become available on Google Play and the App Store this week.

Included in the newest browser version is a critical flaw (CVE-2020-15967) existing in Chrome’s payments component. The flaw, reported by Man Yue Mo of GitHub Security Lab, is a use-after-free vulnerability. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.

Use-after-free bugs have plagued Google Chrome in the past year. In fact, all seven high-severity vulnerabilities fixed by Google in Chrome 86 were use-after-free flaws – ranging from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components (WebRTC is a protocol for rich-media web communication).

Further details of the bugs are not yet available, as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s Tuesday post.

Password Check

The Android and iOS versions of Chrome 86 will also come with a new security feature, which will send a copy of user’s usernames and passwords using a “special form of encryption.” That then lets Google check them against list of passwords known to be compromised.

“Passwords are often the first line of defense for our digital lives,” Abdel Karim Mardini, senior product manager with Chrome, said in a Tuesday post. “Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.”

At the back end, when Google detects a username and password exposed by a data breach, it stores a strongly hashed and encrypted copy of the data. Then, when Chrome users log into a website, the feature sends a strongly hashed and encrypted version of their username and password to Google – meaning the company never derives usernames or passwords from the encrypted copy, it said.

#vulnerabilities #web security #android #chrome #chrome 86 #compromised password #credential stuffing #cve-2020-15967 #cve-2020-15969 #cve-2020-15971 #cve-2020-15972 #cve-2020-15991 #encryption #google #google payments #https #ios #linux #mac #password check #patches #safety check #security fix #security improvements #windows

Tyrique  Littel

Tyrique Littel

1603450800

Chrome 86 Aims to Bar Abusive Notification Content

Google has added a new feature to Chrome 86 that aims to stomp out abusive notification content.

Web notifications are utilized for a variety of applications – such as prompting site visitors to sign up for newsletters. However, they can also be misused for phishing, malware or fake messages that imitate system notifications for the purpose of generating user interactions. Google has taken steps to battle this issue by automatically blocking the web notifications that display abusive or misleading content.

When visitors encounter a webpage with malicious notification content, the webpage will be blocked and a Chrome alert on the upper navigation bar will warn them that the website might be trying to trick them into displaying intrusive notifications. It will ask them to “Continue Blocking” or “Allow” – the latter option will let users continue on to the webpage.

“Abusive notification prompts are one of the top user complaints we receive about Chrome,” according to PJ McLachlan, product manager with Google, on Wednesday. “Our goal with these changes is to improve the experience for Chrome users and to reduce the incentive for abusive sites to misuse the web-notifications feature.”

In order to detect sites that send abusive notification content, Google will first subscribe occasionally to website push notifications (if the push permission is requested) via its automated web crawling service.

Notifications that are sent to the automated Chrome instances will be evaluated for abusive content, and sites sending abusive notifications will be flagged for enforcement if the issue is unresolved, said Google.

When a site is found to be in “failing” status for any type of notification abuse, Google will send a warning email to the registered owners of the site 30 days before cracking down. During this time, websites can address the issue and request another review.

Google first implemented controls that went against abusive notifications with Chrome 80, when it introduced a “quiet notification permission UI [user interface]” feature. Then, in Chrome 84, it announced auto-enrollment in quiet notification UI for websites with abusive-notification permission requests, such as sites that use deceptive patterns to request notification permissions.

However, the new enforcement in Chrome 86 takes it a step further by focusing “on notification content and is triggered by sites that have a history of sending messages containing abusive content,” said Google. “This treatment applies to sites that try to trick users into accepting the notification permission for malicious purposes, for example sites that use web notifications to send malware or to mimic system messages to obtain user login credentials.”

In an upcoming release, Chrome will revert the notification permission status from “granted” to “default” for abusive origins, preventing further notifications unless the user returns to the abusive origin and re-enables them. That’s because “prior to the release of Chrome’s abusive notifications protections, many users have already unintentionally allowed notifications from websites engaging in abusive activity,” it said.

Google this week also warned of an update to its Chrome browser that patches a zero-day vulnerability in the software’s FreeType font rendering library that was actively being exploited in the wild.

#web security #abusive content #abusive notifications #blocking #browser #browser notifications #chrome 80 #chrome 84 #chrome 86 #google #google chrome #malicious notification #safe browsing #web security

How To Set Up Two-Factor Authentication in cPanel

What is 2FA
Two-Factor Authentication (or 2FA as it often referred to) is an extra layer of security that is used to provide users an additional level of protection when securing access to an account.
Employing a 2FA mechanism is a vast improvement in security over the Singe-Factor Authentication method of simply employing a username and password. Using this method, accounts that have 2FA enabled, require the user to enter a one-time passcode that is generated by an external application. The 2FA passcode (usually a six-digit number) is required to be input into the passcode field before access is granted. The 2FA input is usually required directly after the username and password are entered by the client.

#tutorials #2fa #access #account security #authentication #authentication method #authentication token #cli #command line #cpanel #feature manager #google authenticator #one time password #otp #otp authentication #passcode #password #passwords #qr code #security #security code #security policy #security practices #single factor authentication #time-based one-time password #totp #two factor authentication #whm

Kole  Haag

Kole Haag

1600930800

Google Chrome Bugs Open Browsers to Attack

Google has stomped out several serious code-execution flaws in its Chrome browser. To exploit the flaw, an attacker would merely need to convince a target to visit a specially crafted webpage via phishing or other social-engineering lures.

Overall, Google’s release of Chrome 85.0.4183.121 for Windows, Mac and Linux – which will roll out over the coming days – fixed 10 vulnerabilities. The successful exploitation of the most severe of these could allow an attacker to execute arbitrary code in the context of the browser, according to Google. Google Chrome versions prior to 85.0.4183.121 are affected.

“Depending on the privileges associated with the application, an attacker could view, change or delete data,” according to Google’s Tuesday security advisory. “If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”

#vulnerabilities #web security #chrome 85.0.4183.121 #chrome browser #chromium #cve-2020-15961 #cve-2020-15962 #cve-2020-15963 #cve-2020-15965 #fix #google #google chrome #google flaw #out of bounds read #security updates #stable channel release

Micheal  Block

Micheal Block

1602936000

Wormable Apple iCloud Bug Allows Automatic Photo Theft

A group of ethical hackers cracked open Apple’s infrastructure and systems and, over the course of three months, discovered 55 vulnerabilities, a number of which would have given attackers complete control over customer and employee applications.

Of note, a critical, wormable iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, photos, videos and more.

The discovery by hackers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes demonstrated key weaknesses in the company’s “massive” infrastructure while it also earned the team nearly $300,000 to date in rewards for their efforts, Curry wrote in an extensive blog post detailing the team’s findings.

Among the flaws found in core portions of Apple’s infrastructure includes ones that would have allowed an attacker to: “fully compromise both customer and employee applications; launch a worm capable of automatically taking over a victim’s iCloud account; retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple; and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” he wrote.

Of the 55 vulnerabilities discovered, 11 were rated with critical severity, 29 with high severity, 13 with medium severity and two with low severity. Researchers rated the bugs based on the CvSS vulnerability-severity rating, and “our understanding of the business-related impact,” Curry said.

The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup. iCloud is an automatic storage mechanism for photos, videos, documents, and app related data for Apple products. Additionally, this platform provides services like Mail and Find my iPhone.

“The mail service is a full email platform where users can send and receive emails similar to Gmail and Yahoo,” explained Curry. “Additionally, there is a mail app on both iOS and Mac which is installed by default on the products. The mail service is hosted on www.icloud.com alongside all of the other services like file and document storage.”

He added, “This meant, from an attackers perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”

#bug bounty #cloud security #hacks #iot #mobile security #privacy #vulnerabilities #web security #$300 #000 #apple #apple bug bounty program #applications #authentication bypass #bug bounty #critical bugs #critical flaws #developers #ethical hackers #hackers #hardware #icloud #sam curry #software #source code #takeover #vulnerabilities #wormable #xss