< ciso
brief />
Tag Banner

All news with #browser security tag

101 articles · page 5 of 6

Chrome to Enable HTTPS-First Mode by Default in 2026

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.
read more →

Chrome to Enable Always Use Secure Connections by Default

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that lacks HTTPS. The browser will attempt HTTPS for every connection and show a bypassable warning when HTTPS is unavailable, while suppressing repeated warnings for frequently visited sites. A public-sites-only variant excludes private/local names to reduce noise and will roll out earlier to Enhanced Safe Browsing users. Administrators can disable the setting and Google provides migration guidance.
read more →

Chrome to warn before opening insecure HTTP sites in 2026

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that uses HTTP. This change promotes the existing opt-in HTTPS-First Mode to a default setting to better protect users from man-in-the-middle attacks and content tampering. Chrome will avoid repeated alerts for frequently visited insecure sites and offers options to restrict warnings to public sites or to include private intranets. Before the full rollout, Chrome 147 (April 2026) will enable the setting for over 1 billion users with Enhanced Safe Browsing to help identify sites that need migration.
read more →

Malicious Extensions Spoof AI Browser Sidebars, Report

⚠️ Researchers at SquareX warn that malicious browser extensions can inject fake AI sidebars into AI-enabled browsers, including OpenAI Atlas, to steer users to attacker-controlled sites, exfiltrate data, or install backdoors. The extensions inject JavaScript to overlay a spoofed assistant and manipulate responses, enabling actions such as OAuth token harvesting or execution of reverse-shell commands. The report recommends banning unmanaged AI browsers where possible, auditing all extensions, applying strict zero-trust controls, and enforcing granular browser-native policies to block high-risk permissions and risky command execution.
read more →

131 Chrome Extensions Hijack WhatsApp Web for Spam

🔍 Cybersecurity researchers uncovered a coordinated operation that used 131 rebranded Chrome extensions—about 20,905 active users—to inject automation code into WhatsApp Web and conduct large-scale spam campaigns targeting Brazilian users. Socket found the add-ons share a common codebase, design patterns, and infrastructure and are primarily published under WL Extensão variants. The extensions pose a high spam risk by automating bulk outreach and scheduling to evade WhatsApp rate limits and violate Chrome Web Store policies.
read more →

Chrome to revoke notification access for inactive sites

🔕 Google is updating Chrome to automatically revoke website notification permissions for sites that haven't been visited recently on both desktop and Android. The feature targets sites that send a high volume of notifications while receiving very low user engagement — Google found under 1% of alerts generate interactions. Chrome will notify users when a permission is removed and makes it easy to restore access via Safety Check or by revisiting the site and opting back in. Users who prefer to keep persistent notifications can disable the automatic revocation entirely.
read more →

Brave Browser Tops 100M Monthly Active Users in September

🌐 Brave reached a new high in September with 101 million monthly active users and 42 million daily active users, marking the project's largest user base to date. Its privacy-focused Brave Search, built on an independent index, now handles about 1.6 billion queries per month (roughly 20 billion per year), with approximately 8% of queries coming from Chrome users. Regulatory shifts such as the EU Digital Markets Act and Apple’s iOS 17.4 update helped boost installs—iOS downloads in Europe rose about 50%—and Brave's steady gain of ~2.5 million new users per month, combined with privacy AI tools like the AI Answers summarizer (15 million responses/day) and the new Ask Brave chat-search integration, continue to drive adoption.
read more →

Microsoft Edge to Revoke Malicious Sideloaded Extensions

🔒 Microsoft will add a security feature to Edge that detects and revokes malicious sideloaded extensions. The protection targets extensions installed via Developer Mode or other local sideloading methods that bypass the Microsoft Edge Add-ons vetting process. Microsoft plans a worldwide rollout in November for standard multi-tenant instances, aiming to reduce large-scale extension abuse and forced-install campaigns.
read more →

CISA Adds Chromium V8 Type-Confusion CVE to KEV Catalog

⚠️ CISA has added CVE-2025-10585, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a common browser attack vector and poses substantial risk to browsers and systems that embed V8. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged vulnerabilities by required due dates; CISA strongly urges all organizations to prioritize timely remediation and continued vigilance.
read more →

Why Phishing Is Moving Beyond Email Delivery: Risks

🔗 Phishing attacks are increasingly delivered outside traditional email — via social media, instant messaging, SMS, malvertising and in‑app messengers — making mail gateways insufficient. Attackers now send links from compromised accounts, targeted ads or SaaS messages and use fast‑rotating domains and advanced Attacker‑in‑the‑Middle (AitM) kits that obfuscate JavaScript and the DOM to evade network detection. Organizations often rely on user reports and URL blocking, but these approaches fail against rapid domain churn and client‑side stealth. Vendors such as Push Security propose browser‑level detection that monitors real‑time page behavior to identify AitM, session hijacking and credential theft.
read more →

Gemini in Chrome: Secure AI for Enterprise Productivity

🤖 Gemini in Chrome brings AI assistance directly into the browser to help employees summarize reports, extract video insights, recall and navigate tabs, and take actions via integrations with Google Calendar, Docs, and Drive. Rolling out in the U.S. on Mac and Windows with Android availability and iOS coming soon, these features are configurable through Chrome Enterprise Core policies so IT retains control. AI Mode in the omnibox and enhanced Safe Browsing add context-aware responses and proactive protection against AI-driven scams.
read more →

Palo Alto Acknowledges Browser-Malware Risks, Validates LMR

🔍 SquareX’s Last Mile Reassembly (LMR) research, disclosed at DEF CON 32, shows how attackers split and reassemble malware inside the browser to evade Secure Web Gateways (SWGs). Palo Alto Networks has become the first major SASE vendor to publicly acknowledge this class of browser-assembled evasive attacks and announced enhancements to Prisma Browser. SquareX says LMR and related Data Splicing techniques exploit channels like WebRTC and gRPC, bypassing traditional SWG and DLP controls and underscoring the need for browser-native security.
read more →

Myth Busting: Why 'Innocent Clicks' Don't Exist Today

🔒 Visiting a suspicious link or scanning an unknown QR code can be risky even if you refrain from entering data or interacting further. Modern webpages can trigger drive-by downloads, exploit browser or plugin vulnerabilities via embedded JavaScript, or silently harvest device and browser metadata to build a digital fingerprint. The piece advises keeping devices patched, avoiding unknown links or QR codes, inspecting URLs and using unshortening and reputation services to vet destinations before proceeding.
read more →

Webinar: Securing the Modern Web Edge from Browser Threats

🔒 On September 29 at 12:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring browser security experts from Push Security to examine how modern web browsers have become a primary enterprise attack surface. The session will cover malicious and shadow extensions, session token theft, OAuth abuse, and emerging ClickFix and FileFix techniques, plus mitigation strategies. Attendees will learn practical detection and response approaches to protect SaaS sessions, restore visibility at the web edge, and close gaps missed by traditional endpoint and identity controls.
read more →

Browser-Based Attacks: Six Threats Security Teams Must Know

🔒 Browser-targeted attacks are rising as adversaries treat the browser as the primary access point to cloud services and corporate data. The article defines browser-based attacks and enumerates six high-risk techniques: credential and session phishing, ClickFix-style copy-and-paste exploits, malicious OAuth consent flows, rogue extensions, malicious file delivery, and credential reuse where MFA gaps exist. These vectors are effective because modern work happens in decentralized SaaS environments and across many delivery channels, making traditional email- and network-centric defenses less reliable. The piece highlights visibility gaps for security teams and points to vendor platforms such as Push Security that claim to provide in-browser detection and remediation for AiTM phishing, OAuth abuse, and session hijacking.
read more →

AI-Powered Browsers: Security and Privacy Risks in 2026

🔒 An AI-integrated browser embeds large multimodal models into standard web browsers, allowing agents to view pages and perform actions—opening links, filling forms, downloading files—directly on a user’s device. This enables faster, context-aware automation and access to subscription or blocked content, but raises substantial privacy and security risks, including data exfiltration, prompt-injection and malware delivery. Users should demand features like per-site AI controls, choice of local models, explicit confirmation for sensitive actions, and OS-level file restrictions, though no browser currently implements all these protections.
read more →

Browser Extension Management: Enterprise Buyer's Guide

🔒 Browser extensions present a significant, often unmonitored enterprise risk: they can run privileged code, inject scripts into web apps, access cookies and local storage, and persist via background processes. Keep Aware offers a Buyer’s Guide to Browser Extension Management that outlines these technical attack surfaces and illustrates how to reduce exposure. The guide compares common controls — GPO/MDM, EDR, enterprise browsers — with purpose-built browser security extensions to show trade-offs between visibility, enforcement, and user experience.
read more →

Six Browser-Based Attack Techniques to Watch in 2025

🔒 This article outlines six browser-based attack techniques—phishing with reverse-proxy AitM kits, ClickFix/FileFix command-injection lures, malicious OAuth grants, rogue extensions, weaponized file downloads, and credential attacks exploiting MFA gaps—that security teams must prioritize in 2025. It explains why the browser has become the primary attack surface as users access hundreds of cloud apps, and why traditional email/network controls and endpoint defenses often miss these threats. The piece argues that effective detection requires real-time browser-level visibility and management across managed and unmanaged apps, highlighting Push Security as a vendor offering such capabilities.
read more →

When Browsers Become the Attack Surface: Rethinking Security

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.
read more →

Hidden Risks of Browser Extensions and How to Stay Safe

🔒 Browser extensions can provide useful features but also expose users and organizations to significant risk. Malicious or compromised add-ons may steal credentials, session cookies, and browsing data, inject ads or malware, redirect users, or run background tasks like cryptomining. Scrutinize developer credentials and permissions, prefer official web stores, keep browsers updated, and enable security software and MFA.
read more →