< ciso
brief />
Tag Banner

All news with #browser security tag

101 articles · page 3 of 6

Redesigning Turnstile and Challenge Pages at Cloudflare

🔐Cloudflare describes a comprehensive redesign of its Turnstile widget and full-page Challenge Pages, interfaces that are served billions of times per day. After a detailed audit and international user testing, the team consolidated inconsistent error states into a single information architecture and simplified messaging to reduce user friction. The refresh emphasizes AAA accessibility (WCAG 2.2 AAA), clearer in-widget troubleshooting, consistent localization across 40+ languages, and subtle visual cues that lower abandonment without weakening security.
read more →

Millions of Chrome Extensions Leak Users' Browsing History

🔍 A security researcher using the pseudonym Q Continuum discovered 287 Chrome extensions that send users' browsing history and related metadata to remote servers. The investigator ran an automated pipeline that launched Chrome in Docker, installed extensions, visited test sites, and captured outgoing traffic to reveal risky behavior across VPNs, proxy tools, coupon and PDF add‑ons, and browser utilities. Many extensions request broad cross‑site host permissions and transmit data in obfuscated or encrypted formats (Base64, ROT47, LZ‑String, even AES‑256 wrapped in RSA‑OAEP), which makes detection harder and can enable corporate espionage or credential harvesting when cookies are included.
read more →

Leaky Chrome Extensions Exposed Browsing Histories

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.
read more →

Fake AI Chrome extensions steal credentials, emails

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.
read more →

EDR, Email and SASE Miss an Entire Class of Browser Attacks

🔍 Most enterprise work now takes place in the browser, yet security architectures still center on endpoints, email, and network layers. Keep Aware calls this mismatch a "safe haven" that attackers exploit with user-driven flows that leave little forensic evidence. Common techniques include click‑prompt social engineering, malicious extensions, man‑in‑the‑browser variants, and HTML smuggling — all of which can appear legitimate to EDR, email security, or SASE. Without browser-level visibility, teams struggle to prevent, reconstruct, or learn from these incidents.
read more →

Zscaler Acquires SquareX to Extend Browser Zero Trust

🔒 Zscaler has acquired Singapore-based SquareX to extend browser detection and response (BDR) capabilities into standard web browsers across managed and unmanaged devices. The move enables Zscaler to deliver Zero Trust Exchange controls via lightweight extensions rather than requiring a separate enterprise browser. SquareX's runtime extension enforces session-specific controls such as browser-native DLP, dynamic content isolation, real-time behaviour monitoring, clipboard protections and AI prompt safeguards, integrating with Zscaler policy enforcement to reduce reliance on legacy VPN/VDI.
read more →

Future Mode: The Agentic, Secure Browser for Enterprises

🤖 Chrome Enterprise presents the browser as an intelligent, agentic workspace that automates multi‑step tasks and integrates Google’s Gemini models directly into the user experience. It emphasizes enterprise controls—such as enhanced DLP (real‑time copy/paste restrictions, data masking, dynamic watermarking) and per‑group AI feature management—to prevent data leakage and limit access to unapproved generative tools. Chrome also adds a double‑check review system and strict site scoping for agent actions, aiming to balance productivity gains with robust security protections.
read more →

CrashFix Fake Extension Delivers ModelRAT via Browser Crash

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.
read more →

Comparing Secure Enterprise Browsers: Choosing Wisely

🔒 Web browsers remain a primary enterprise attack surface, and the market for secure browsers is maturing as vendors and hyperscalers fold browser isolation into broader security platforms. The article summarizes evaluation criteria — from MFA, isolation and DLP to extension control, logging and anonymous surfing — and highlights recent consolidation and vendor offerings. It emphasizes integration, support and cost tradeoffs when choosing a deployment mode.
read more →

Fake NexShield Extension Crashes Browsers for ClickFix

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.
read more →

GhostPoster Extensions Removed After 840K Installations

⚠️ LayerX researchers identified 17 malicious browser extensions tied to the GhostPoster campaign that collectively recorded about 840,000 installs across Chrome, Firefox, and Edge. The extensions concealed heavily obfuscated JavaScript inside image files and icons to monitor browsing activity, implant a backdoor, hijack affiliate links, and inject invisible iframes for ad and click fraud. A more advanced variant in an Instagram Downloader extension used staged execution and bundled image payloads to evade detection; stores have removed the listed extensions, but installed users may still be compromised.
read more →

CrowdStrike to Acquire Seraphic for Browser Security

🔒 CrowdStrike announced intent to acquire Seraphic to extend the Falcon platform into browsers and enforce security within live sessions across Chrome, Edge, Safari, Firefox and agentic browsers on managed and unmanaged devices. The integration promises in-session zero-trust enforcement, protection for AI interactions, randomized JavaScript engine defenses, and agentless-style controls for contractors. Combined with SGNL’s continuous authorization technology, CrowdStrike aims to deliver unified, identity-driven browser security without forcing browser replacement.
read more →

Trust Wallet Links $8.5M Crypto Theft to Shai-Hulud Attack

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.
read more →

DarkSpectre Browser Extension Campaigns Hit Millions

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.
read more →

How to Browse the Web More Sustainably With a Green Browser

🌿 Wave Browser combines an efficient, modern browsing experience with verified environmental action through a partnership with 4ocean and adherence to AppEsteem standards. Built-in ad blocking, memory-saving utilities, and integrated productivity features reduce background processes and the need for multiple third-party extensions, lowering device and infrastructure energy use. Impact is tracked on the homepage with monthly reports toward a 300,000-pound cleanup goal by 2028.
read more →

GhostPoster campaign hides malware in 17 Firefox add‑ons

🚨 Koi Security uncovered the GhostPoster campaign that hid malicious JavaScript inside PNG logo files used by 17 Firefox add‑ons, collectively downloaded more than 50,000 times. The steganographic loader fetches secondary payloads from attacker-controlled servers only intermittently and uses long delays to avoid detection. Affected extensions — advertised as VPNs, ad blockers, translators, and utilities — have been removed from distribution.
read more →

GhostPoster: Malicious JavaScript Hidden in Firefox Add-ons

🕵️ Koi Security identified the GhostPoster campaign that hides JavaScript inside PNG logo images of malicious Firefox extensions, impacting more than 50,000 downloads. The dormant loader waits 48 hours, contacts hardcoded attacker domains and only fetches its payload about 10% of the time to evade detection. The decoded payload provides persistent, high-privilege access and enables affiliate hijacks, analytics injection, header stripping, CAPTCHA bypass and ad/click fraud. Users of flagged extensions should remove them and consider resetting critical account passwords.
read more →

Browser VPN Extension Found Harvesting AI Chat Data

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.
read more →

Urban VPN Extension Caught Exfiltrating AI Chat Data

🔒 Researchers at Koi found that the popular Urban VPN Proxy browser extension injects scripts to capture full AI chat conversations — including prompts and responses — then exports them to the extension vendor's backend. The monitoring runs even when the VPN is disabled and activates on major platforms such as ChatGPT, Claude, Gemini, Perplexity and Grok. For organizations that paste internal code, data or research into AI tools, this creates a significant data-theft risk outside corporate controls.
read more →

Browser Extension Risk Guide After ShadyPanda Campaign

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.
read more →