All news with #browser security tag

🔒 This article by Stan Kaminsky reviews Athanasios Giatsos’ Security Analyst Summit 2025 talk and explains why malicious browser extensions are a major blind spot for organizations. It outlines how extensions can access cookies, local storage, proxy settings, clipboard and screen capture, enabling session and account theft, espionage, ad fraud and crypto theft, and why Manifest V3 reduces but does not eliminate risk. Practical controls described include formal extension policies and allowlists, disabling developer mode, version pinning and testing of updates, EDR and SIEM-based monitoring, and the use of specialized vetting tools for deeper analysis.

⚠️ Security researchers disclosed a novel attack called AI sidebar spoofing that allows malicious browser extensions to place counterfeit in‑page AI assistants that visually mimic legitimate sidebars. Demonstrated against Comet and confirmed for Atlas, the extension injects JavaScript, forwards queries to a real LLM when requested, and selectively alters replies to inject phishing links, malicious OAuth prompts, or harmful terminal commands. Users who install extensions without scrutiny face a tangible risk.

🔒 Mozilla has rolled out enhanced anti-fingerprinting protections in Firefox 145, initially active in Private Browsing and Enhanced Tracking Protection (ETP) Strict mode. Phase 2 measures add targeted noise to background image reads, restrict reported fonts to standard OS sets with select language exceptions, coarsen touch reporting, report screen height minus 48 pixels, and always report two processor cores. After testing these changes will be enabled by default; users can disable them per-site for compatibility. The release also removes the 32-bit Linux build.

🛡️ The Browser Security Report 2025 warns that enterprise risk is consolidating in the user's browser, where identity, SaaS, and GenAI exposures converge. The research shows widespread unmanaged GenAI usage and paste-based exfiltration, extensions acting as an embedded supply chain, and a high volume of logins occurring outside SSO. Legacy controls like DLP, EDR, and SSE are described as operating one layer too low. The report recommends adopting session-native, browser-level controls to restore visibility and enforce policy without disrupting users.

🔒 Microsoft will remove Defender Application Guard for Office (MDAG) from supported Office builds beginning with version 2602 in early February 2026 and expects full removal with version 2612 by mid‑2027. Files that previously opened in Application Guard will open in Protected View instead. Microsoft recommends enabling Defender for Endpoint ASR rules and Windows Defender Application Control to preserve protections; no admin action is required to trigger the removal.

🔒 Modern browsers include sandboxing, but attackers exploit expected behaviors to bypass protections. A new on-demand webinar from Keep Aware outlines the top three browser-layer threats—credential theft, malicious extensions, and lateral movement—and explains why tools like CASBs, SWGs, and EDRs often miss these attacks. It shows how real-time browser visibility, policy enforcement, and behavioral detection extend protection into everyday user activity. The session is aimed at CISOs and security leaders seeking practical steps to close this blind spot.

⚠️ Security researcher Jose Pino disclosed "Brash", a severe flaw in the Blink rendering engine that can crash many Chromium-based browsers within 15–60 seconds via a single malicious URL. The root cause is missing rate limiting on the document.title API, enabling attackers to inject millions of DOM mutations per second and saturate the browser UI thread. Pino describes a three-phase technique — hash generation, burst injection, and UI-thread saturation — and warns the code can be time-triggered to act like a logic bomb. Affected products include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, and some AI browser interfaces; Firefox and Safari are not vulnerable.

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that lacks HTTPS. The browser will attempt HTTPS for every connection and show a bypassable warning when HTTPS is unavailable, while suppressing repeated warnings for frequently visited sites. A public-sites-only variant excludes private/local names to reduce noise and will roll out earlier to Enhanced Safe Browsing users. Administrators can disable the setting and Google provides migration guidance.

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that uses HTTP. This change promotes the existing opt-in HTTPS-First Mode to a default setting to better protect users from man-in-the-middle attacks and content tampering. Chrome will avoid repeated alerts for frequently visited insecure sites and offers options to restrict warnings to public sites or to include private intranets. Before the full rollout, Chrome 147 (April 2026) will enable the setting for over 1 billion users with Enhanced Safe Browsing to help identify sites that need migration.

⚠️ Researchers at SquareX warn that malicious browser extensions can inject fake AI sidebars into AI-enabled browsers, including OpenAI Atlas, to steer users to attacker-controlled sites, exfiltrate data, or install backdoors. The extensions inject JavaScript to overlay a spoofed assistant and manipulate responses, enabling actions such as OAuth token harvesting or execution of reverse-shell commands. The report recommends banning unmanaged AI browsers where possible, auditing all extensions, applying strict zero-trust controls, and enforcing granular browser-native policies to block high-risk permissions and risky command execution.

🔍 Cybersecurity researchers uncovered a coordinated operation that used 131 rebranded Chrome extensions—about 20,905 active users—to inject automation code into WhatsApp Web and conduct large-scale spam campaigns targeting Brazilian users. Socket found the add-ons share a common codebase, design patterns, and infrastructure and are primarily published under WL Extensão variants. The extensions pose a high spam risk by automating bulk outreach and scheduling to evade WhatsApp rate limits and violate Chrome Web Store policies.

🔕 Google is updating Chrome to automatically revoke website notification permissions for sites that haven't been visited recently on both desktop and Android. The feature targets sites that send a high volume of notifications while receiving very low user engagement — Google found under 1% of alerts generate interactions. Chrome will notify users when a permission is removed and makes it easy to restore access via Safety Check or by revisiting the site and opting back in. Users who prefer to keep persistent notifications can disable the automatic revocation entirely.

🌐 Brave reached a new high in September with 101 million monthly active users and 42 million daily active users, marking the project's largest user base to date. Its privacy-focused Brave Search, built on an independent index, now handles about 1.6 billion queries per month (roughly 20 billion per year), with approximately 8% of queries coming from Chrome users. Regulatory shifts such as the EU Digital Markets Act and Apple’s iOS 17.4 update helped boost installs—iOS downloads in Europe rose about 50%—and Brave's steady gain of ~2.5 million new users per month, combined with privacy AI tools like the AI Answers summarizer (15 million responses/day) and the new Ask Brave chat-search integration, continue to drive adoption.

🔒 Microsoft will add a security feature to Edge that detects and revokes malicious sideloaded extensions. The protection targets extensions installed via Developer Mode or other local sideloading methods that bypass the Microsoft Edge Add-ons vetting process. Microsoft plans a worldwide rollout in November for standard multi-tenant instances, aiming to reduce large-scale extension abuse and forced-install campaigns.

⚠️ CISA has added CVE-2025-10585, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a common browser attack vector and poses substantial risk to browsers and systems that embed V8. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged vulnerabilities by required due dates; CISA strongly urges all organizations to prioritize timely remediation and continued vigilance.

🔗 Phishing attacks are increasingly delivered outside traditional email — via social media, instant messaging, SMS, malvertising and in‑app messengers — making mail gateways insufficient. Attackers now send links from compromised accounts, targeted ads or SaaS messages and use fast‑rotating domains and advanced Attacker‑in‑the‑Middle (AitM) kits that obfuscate JavaScript and the DOM to evade network detection. Organizations often rely on user reports and URL blocking, but these approaches fail against rapid domain churn and client‑side stealth. Vendors such as Push Security propose browser‑level detection that monitors real‑time page behavior to identify AitM, session hijacking and credential theft.

🤖 Gemini in Chrome brings AI assistance directly into the browser to help employees summarize reports, extract video insights, recall and navigate tabs, and take actions via integrations with Google Calendar, Docs, and Drive. Rolling out in the U.S. on Mac and Windows with Android availability and iOS coming soon, these features are configurable through Chrome Enterprise Core policies so IT retains control. AI Mode in the omnibox and enhanced Safe Browsing add context-aware responses and proactive protection against AI-driven scams.

🔍 SquareX’s Last Mile Reassembly (LMR) research, disclosed at DEF CON 32, shows how attackers split and reassemble malware inside the browser to evade Secure Web Gateways (SWGs). Palo Alto Networks has become the first major SASE vendor to publicly acknowledge this class of browser-assembled evasive attacks and announced enhancements to Prisma Browser. SquareX says LMR and related Data Splicing techniques exploit channels like WebRTC and gRPC, bypassing traditional SWG and DLP controls and underscoring the need for browser-native security.

🔒 Visiting a suspicious link or scanning an unknown QR code can be risky even if you refrain from entering data or interacting further. Modern webpages can trigger drive-by downloads, exploit browser or plugin vulnerabilities via embedded JavaScript, or silently harvest device and browser metadata to build a digital fingerprint. The piece advises keeping devices patched, avoiding unknown links or QR codes, inspecting URLs and using unshortening and reputation services to vet destinations before proceeding.