All news with #browser security tag

🔐 Researchers have identified a new infostealer called VoidStealer that bypasses Chrome's Application-Bound Encryption (ABE) to exfiltrate stored passwords, cookies, and tokens. Unlike prior ABE bypasses that relied on code injection or elevated privileges, VoidStealer attaches as a debugger and uses hardware breakpoints to capture the v20_master-key at the precise moment it appears in plaintext. The malware can fall back to injection-based methods but prioritizes the stealthy debugger technique. Defenders should monitor for debugger attachments, unexpected memory reads, and anomalous Chrome process activity.

🔒 Researchers have dismantled the ShieldGuard crypto scam after Okta Threat Intelligence flagged the malicious browser extension in an advisory on March 17. Marketed as a wallet security tool with social promotion and token "airdrop" incentives, the extension instead harvested wallet addresses, scraped full HTML content after logins and tracked users across sessions. It used obfuscation and a custom JavaScript interpreter to evade Chrome protections and supported remote command-and-control execution. Partners removed the extension from the Chrome Web Store, disabled backend infrastructure, took down domains and blocked sign-in functionality; users are advised to limit plugins, verify sources and treat free-token offers with caution.

🔍 Anthropic reported discovering 22 new vulnerabilities in the Firefox browser using Claude Opus 4.6 during a two-week assessment in January 2026. Fourteen issues were rated high, seven moderate and one low, and most were patched in Firefox 148. The model detected a JavaScript use-after-free bug in about 20 minutes, which researchers validated in a virtualized environment. When tasked to produce exploits the model succeeded only twice after many attempts and roughly $4,000 in API spend, underscoring that discovery is cheaper than reliable exploitation.

🛡️ The 2026 State of Browser Security Report from Keep Aware warns that modern browsers—now hosting embedded AI copilots and generative tools—have become the primary execution layer for enterprise work and the largest emerging security gap. The study finds broad adoption of AI web tools, frequent uploads of internal and regulated data, and that traditional DLP and network controls fail to inspect typed inputs, pasted content, and in-session file uploads. It highlights phishing, malicious extensions, and social engineering as leading browser attack vectors and urges organizations to adopt browser-specific visibility, continuous extension governance, and account-level controls for AI usage.

🔁 With the release of Chrome 153 on September 8, Google will move from a four-week to a two-week release cadence for both beta and stable channels on Desktop, Android, and iOS. Dev and Canary channels remain on their current schedules while an eight-week Extended Stable branch will be preserved for enterprise customers. Google says smaller, more frequent milestones will reduce disruption and simplify post-release debugging. Users can expect more frequent feature rollouts and occasional restart prompts, and weekly security updates will continue under the August 2023 model.

🛡 Unit 42 discovered CVE-2026-0628, a high-severity flaw in Chrome's new Gemini Live panel that allowed extensions with only declarativeNetRequest permissions to inject JavaScript into the privileged panel context. That injection could escalate extension privileges to access camera and microphone, read local files, take screenshots and render phishing content inside a trusted browser UI. Google was notified on 2025-10-23 and issued a patch in early January 2026. Palo Alto Networks recommends mitigations such as Prisma Browser and related protections.

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.

🔐Cloudflare describes a comprehensive redesign of its Turnstile widget and full-page Challenge Pages, interfaces that are served billions of times per day. After a detailed audit and international user testing, the team consolidated inconsistent error states into a single information architecture and simplified messaging to reduce user friction. The refresh emphasizes AAA accessibility (WCAG 2.2 AAA), clearer in-widget troubleshooting, consistent localization across 40+ languages, and subtle visual cues that lower abandonment without weakening security.

🔍 A security researcher using the pseudonym Q Continuum discovered 287 Chrome extensions that send users' browsing history and related metadata to remote servers. The investigator ran an automated pipeline that launched Chrome in Docker, installed extensions, visited test sites, and captured outgoing traffic to reveal risky behavior across VPNs, proxy tools, coupon and PDF add‑ons, and browser utilities. Many extensions request broad cross‑site host permissions and transmit data in obfuscated or encrypted formats (Base64, ROT47, LZ‑String, even AES‑256 wrapped in RSA‑OAEP), which makes detection harder and can enable corporate espionage or credential harvesting when cookies are included.

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.

🔍 Most enterprise work now takes place in the browser, yet security architectures still center on endpoints, email, and network layers. Keep Aware calls this mismatch a "safe haven" that attackers exploit with user-driven flows that leave little forensic evidence. Common techniques include click‑prompt social engineering, malicious extensions, man‑in‑the‑browser variants, and HTML smuggling — all of which can appear legitimate to EDR, email security, or SASE. Without browser-level visibility, teams struggle to prevent, reconstruct, or learn from these incidents.

🔒 Zscaler has acquired Singapore-based SquareX to extend browser detection and response (BDR) capabilities into standard web browsers across managed and unmanaged devices. The move enables Zscaler to deliver Zero Trust Exchange controls via lightweight extensions rather than requiring a separate enterprise browser. SquareX's runtime extension enforces session-specific controls such as browser-native DLP, dynamic content isolation, real-time behaviour monitoring, clipboard protections and AI prompt safeguards, integrating with Zscaler policy enforcement to reduce reliance on legacy VPN/VDI.

🤖 Chrome Enterprise presents the browser as an intelligent, agentic workspace that automates multi‑step tasks and integrates Google’s Gemini models directly into the user experience. It emphasizes enterprise controls—such as enhanced DLP (real‑time copy/paste restrictions, data masking, dynamic watermarking) and per‑group AI feature management—to prevent data leakage and limit access to unapproved generative tools. Chrome also adds a double‑check review system and strict site scoping for agent actions, aiming to balance productivity gains with robust security protections.

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.

🔒 Web browsers remain a primary enterprise attack surface, and the market for secure browsers is maturing as vendors and hyperscalers fold browser isolation into broader security platforms. The article summarizes evaluation criteria — from MFA, isolation and DLP to extension control, logging and anonymous surfing — and highlights recent consolidation and vendor offerings. It emphasizes integration, support and cost tradeoffs when choosing a deployment mode.

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.

⚠️ LayerX researchers identified 17 malicious browser extensions tied to the GhostPoster campaign that collectively recorded about 840,000 installs across Chrome, Firefox, and Edge. The extensions concealed heavily obfuscated JavaScript inside image files and icons to monitor browsing activity, implant a backdoor, hijack affiliate links, and inject invisible iframes for ad and click fraud. A more advanced variant in an Instagram Downloader extension used staged execution and bundled image payloads to evade detection; stores have removed the listed extensions, but installed users may still be compromised.

🔒 CrowdStrike announced intent to acquire Seraphic to extend the Falcon platform into browsers and enforce security within live sessions across Chrome, Edge, Safari, Firefox and agentic browsers on managed and unmanaged devices. The integration promises in-session zero-trust enforcement, protection for AI interactions, randomized JavaScript engine defenses, and agentless-style controls for contractors. Combined with SGNL’s continuous authorization technology, CrowdStrike aims to deliver unified, identity-driven browser security without forcing browser replacement.

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.