Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Browser Security. Show all posts
Manifest V3
Browser Security Chrome Extensions cookie theft Cyber Security EditThisCookie Malicious Extension Manifest V3

Malicious Chrome Extension Mimics Popular Tool, Poses Threat to Users’ Data

 

Cybersecurity concerns are growing as malicious browser extensions target unsuspecting users. One such case involves the removal of the popular EditThisCookie extension, which had over 3 million downloads, from the Chrome Web Store due to its reliance on the outdated Manifest v2 framework.

In its place, a new extension named EditThisCookie® has emerged. Built using the updated Manifest v3 framework, this replacement mimics the original's name and design but contains harmful code. The malicious version is designed to steal user cookies and potentially post phishing content on users' social media accounts.

Before its removal by Google, the fraudulent extension was installed approximately 30,000 times. User complaints and reviews flagged suspicious behavior, prompting Google to take action. 

If you currently use EditThisCookie, it is crucial to check your browser’s extensions management page. If EditThisCookie® is found, delete it immediately as it is a counterfeit version.

The original EditThisCookie extension is still available for download on GitHub. Users can manually install it by unpacking the file through Chrome’s extension management page. While Chrome may issue a warning about its Manifest v2 framework, the extension remains safe to use as long as the deletion button is avoided.
Read more »
Opera Browser
API Browser Security Browser Vulnerability Cyber Attacks data security DNS Opera Browser

CrossBarking Exploit in Opera Browser Exposes Users to Extensive Risks

 

A new browser vulnerability called CrossBarking has been identified, affecting Opera users through “private” APIs that were meant only for select trusted sites. Browser APIs bridge websites with functionalities like storage, performance, and geolocation to enhance user experience. Most APIs are widely accessible and reviewed, but private ones are reserved for preferred applications. Researchers at Guardio found that these Opera-specific APIs were vulnerable to exploitation, especially if a malicious Chrome extension gained access. Guardio’s demonstration showed that once a hacker gained access to these private APIs through a Chrome extension — easily installable by Opera users — they could run powerful scripts in a user’s browser context. 
The malicious extension was initially disguised as a harmless tool, adding pictures of puppies to web pages. 

However, it also contained scripts capable of extensive interference with Opera settings. Guardio used this approach to hijack the settingsPrivate API, which allowed them to reroute a victim’s DNS settings through a malicious server, providing the attacker with extensive visibility into the user’s browsing activities. With control over the DNS settings, they could manipulate browser content and even redirect users to phishing pages, making the potential for misuse significant. Guardio emphasized that getting malicious extensions through Chrome’s review process is relatively easier than with Opera’s, which undergoes a more intensive manual review. 

The researchers, therefore, leveraged Chrome’s automated, less stringent review process to create a proof-of-concept attack on Opera users. CrossBarking’s implications go beyond Opera, underscoring the complex relationship between browser functionality and security. Opera took steps to mitigate this vulnerability by blocking scripts from running on private domains, a strategy that Chrome itself uses. However, they have retained the private APIs, acknowledging that managing security with third-party apps and maintaining functionality is a delicate balance. 

Opera’s decision to address the CrossBarking vulnerability by restricting script access to domains with private API access offers a practical, though partial, solution. This approach minimizes the risk of malicious code running within these domains, but it does not fully eliminate potential exposure. Guardio’s research emphasizes the need for Opera, and similar browsers, to reevaluate their approach to third-party extension compatibility and the risks associated with cross-browser API permissions.


This vulnerability also underscores a broader industry challenge: balancing user functionality with security. While private APIs are integral to offering customized features, they open potential entry points for attackers when not adequately protected. Opera’s reliance on responsible disclosure practices with cybersecurity firms is a step forward. However, ongoing vigilance and a proactive stance toward enhancing browser security are essential as threats continue to evolve, particularly in a landscape where third-party extensions can easily be overlooked as potential risks.


In response, Opera has collaborated closely with researchers and relies on responsible vulnerability disclosures from third-party security firms like Guardio to address any potential risks preemptively. Security professionals highlight that browser developers should consider the full ecosystem, assessing how interactions across apps and extensions might introduce vulnerabilities.
Read more »
token replay
Browser Security cloud apps Cyber Security identity-based attacks infostealers MFA Bypass Phishing Attacks session cookies Session Hijacking token replay

Session Hijacking Surges: Attackers Exploit MFA Gaps with Modern Tactics

 

As multi-factor authentication (MFA) becomes more common, attackers are increasingly resorting to session hijacking. Evidence from 2023 shows this trend: Microsoft detected 147,000 token replay attacks, marking a 111% increase year-over-year. Google reports that attacks on session cookies now rival traditional password-based threats.

Session hijacking has evolved from old Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured network traffic. Today, these attacks are internet-based, focusing on cloud apps and services. Modern session hijacking involves stealing session materials like cookies and tokens, enabling attackers to bypass standard security controls like VPNs, encrypted traffic, and even MFA.

The rise of identity-based attacks is a result of the growing complexity of user accounts, with each person managing multiple cloud-based services. Once attackers gain access to an active session, they can bypass MFA, leveraging the valid session tokens, which often stay active longer than expected.

Modern phishing toolkits, like AitM and BitM, make hijacking easier by allowing attackers to intercept MFA processes or trick users into controlling their browser. Infostealers, a newer tool, capture session cookies from the victim’s browser, putting multiple applications at risk, especially when EDR systems fail to detect them.

Infostealer infections are often traced back to unmanaged personal devices, which sync browser profiles with work devices, leading to the compromise of corporate credentials. EDRs aren’t always reliable in stopping these threats, and attackers can still resume stolen sessions without re-authentication, making it difficult for organizations to detect unauthorized access.

Passkeys offer some protection by preventing phishing, but infostealers bypass authentication entirely. While app-level controls exist to detect unauthorized sessions, many are inadequate. Companies are now considering browser-based solutions that monitor user agent strings for signs of session hijacking, offering a last line of defense against these sophisticated attacks.
Read more »
STYX
Browser Security CyberCrime Data Breach Data Theft Malware Attack Malware Strains Online Security STYX

New Styx Stealer Malware Targets Browsers and Instant Messaging for Data Theft

 

A new malware strain known as Styx Stealer has recently emerged, posing a significant threat to online security. Discovered in April 2024, Styx Stealer primarily targets popular browsers based on the Chromium and Gecko engines, such as Chrome and Firefox. The malware is designed to pilfer a wide range of sensitive information from these browsers, including saved passwords, cookies, auto-fill data (which may include credit card details), cryptocurrency wallet information, system data like hardware specifics, external IP addresses, and even screenshots. 

The implications of such a broad data theft capability are alarming, as the stolen information could be used for identity theft, financial fraud, or even more targeted cyberattacks. Styx Stealer doesn’t stop at browsers. It also targets widely used instant messaging applications like Telegram and Discord. By compromising these platforms, the malware can gain access to users’ chats, potentially exposing sensitive conversations. This further exacerbates the threat, as the attackers could exploit this data to compromise the victim’s online identity or carry out social engineering attacks. The origins of Styx Stealer trace back to a Turkish cybercriminal who operates under the alias “Sty1x.” The malware is sold through Telegram or a dedicated website, with prices ranging from $75 per month to $350 for unlimited access. 

Interestingly, the malware’s discovery was aided by a critical mistake made by its developer. During the debugging process, the developer failed to implement proper operational security (OpSec) measures, inadvertently leaking sensitive data from their own computer to security researchers. This blunder not only exposed details about Styx Stealer’s capabilities and targets but also revealed the developer’s earnings and their connection to another notorious malware strain, Agent Tesla. Further forensic analysis uncovered a link between Sty1x and a Nigerian threat actor known by aliases such as Fucosreal and Mack_Sant. This individual had previously been involved in a campaign using Agent Tesla malware to target Chinese firms in various sectors. 

The connection between these two cybercriminals suggests potential collaboration, making Styx Stealer an even more formidable threat. Styx Stealer appears to be a derivative of the Phemedrone Stealer malware, inheriting core functionalities while introducing enhancements like auto-start and crypto-clipping features. These improvements make Styx Stealer more dangerous, increasing its potential to cause significant financial harm to its victims. The discovery of Styx Stealer highlights the ongoing evolution of cyber threats. Although the leak by the developer has likely disrupted Styx Stealer’s initial operations, it’s crucial to remain vigilant as cybercriminals adapt quickly.
Read more »
Wifi vulnerability
Browser Security Cyber Security DNS Hackers attack Internet Speed Network Security VPN WiFi Routers Wifi vulnerability

Signs Your Home Network Has Been Hacked and How to Protect Yourself

 

While many are aware of the risks associated with public Wi-Fi, fewer realize that home networks are also vulnerable to cyberattacks. Hackers can infiltrate home networks to access sensitive information like bank details, private conversations, and personal photos. Here are key indicators that your home network may be compromised and steps to enhance your security. 

One sign of a compromised network is a sudden drop in internet speed. If your connection slows down without any issues from your provider, it could mean hackers are using your bandwidth for malicious purposes. Another warning sign is the appearance of unfamiliar devices on your network. Hackers might connect their devices to your network to steal information. To check for this, log into your router and review the list of connected devices. Unrecognized entries should be investigated. Unexpected changes to your Wi-Fi password are also concerning. If you haven't changed it but find it different, someone might have hacked into your network to lock you out. 

Additionally, spotting unfamiliar software on your devices can indicate malware installation by hackers aiming to steal your data. Browser hijacking is another serious threat. If hackers gain access to your router, they can alter its DNS settings, redirecting your internet traffic to malicious sites that can steal information and install harmful software. If your browser frequently redirects to suspicious websites, your network might be compromised. Understanding how hackers operate can also help in recognizing threats. 

For example, they may pose as buyers in online transactions, sending phishing links to steal bank details from sellers. To protect your home network, ensure your router’s firmware is up to date and use strong, unique passwords for your Wi-Fi and devices. Enable network encryption, such as WPA3, and disable remote management features that can provide easy access to hackers. Using a virtual private network (VPN) can further secure your internet traffic and protect your online activities. 

Securing your home network requires vigilance and proactive measures. By staying aware of potential warning signs and implementing strong security practices, you can protect your personal information and maintain your digital privacy. Continuous learning and adaptation to new cyber threats are essential for keeping your network safe.
Read more »
Two Factor Authentication
Browser Security Bypass authentication Cyber Attacks pass-the-cookie Two Factor Authentication

Stay Safe Online: How to Protect Yourself from Pass-the-Cookie Attacks

Pass-the-Cookie Attacks

What is a Pass-the-Cookie Attack? 

A pass-the-cookie attack is a way to bypass authentication in a web application using a stolen session cookie. When a user logs in to any application on the Internet, a session cookie is created in the browser that identifies the user and allows them to keep the session active without constantly authenticating themselves. However, someone can steal and inject this session cookie into their browser. In that case, the web application will trust the session cookie and grant the thief complete access.

How Do Hackers Steal Session Cookies? 

There are several ways that hackers can steal session cookies. One standard method is through cross-site scripting (XSS) attacks, where an attacker injects malicious code into a website that steals the user’s session cookie when they visit the site. 

Another method is through phishing attacks, where an attacker sends an email or message that appears to be from a legitimate source but contains a link to a fake login page that steals the user’s session cookie when they enter their login information. Man-in-the-middle (MITM) attacks and trojan attacks are other methods that hackers use to steal session cookies.

How Can You Protect Yourself from Pass-the-Cookie Attacks? 

There are several steps you can take to protect yourself from pass-the-cookie attacks. One of the most effective ways is to use two-factor authentication (2FA) whenever possible. This adds an extra layer of security by requiring users to enter a code sent to their phone or email in addition to their password when logging in. This makes it much more difficult for hackers to access your account, even if they have stolen your session cookie.

Another way to protect yourself is by being cautious when clicking links or entering website login information. Always ensure you are on the correct website before entering your login information. Be wary of emails or messages asking you to click a link or enter your login information.

Finally, make sure that your computer and internet connection are secure. Use anti-virus software and keep it up-to-date, and avoid using public Wi-Fi networks when accessing sensitive information.

Pass-the-cookie attacks are a severe threat that can allow hackers to bypass authentication and gain access to sensitive information. Using two-factor authentication, being cautious when clicking on links or entering login information, and keeping your computer and internet connection secure can help protect yourself from these attacks and stay logged in to websites safely.

Read more »
Web browser
Apple Browser Security Google Account Safari User Data User Privacy User Security. Data Security Vulnerabilities and Exploits Web browser

New Apple Flaw Exposes Users’ Browser History and Google Account Details

 

A bug has been detected on Apple’s Safari 15, that can leak your recent browsing activity and expose your Google User ID to other sites. The flaw was introduced to Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple's WebKit web browser development engine, according to a Saturday blog post by FingerprintJS. IndexedDB can be utilized to save data on the computer, such as websites visited, so that they load faster when one returns. 

IndexedDB likewise adheres to the same-origin principle, which prohibits websites from freely interacting with one another unless they have the same domain name (among other requirements). Imagine it being under quarantine and only being able to interact with members of your family.  

Moreover, the problem discovered by FingerprintJS allows IndexedDB to break the same-origin policy, revealing data it has gathered to websites from which it did not collect it. Unfortunately, some websites, such as those in the Google network, include unique user-specific identifiers in the information sent to IndexedDB. This implies that if you're logged into your Google account, the information gathered can be utilized to accurately identify the browsing history as well as account information. It can also figure out whether you're logged into more than one account. 

FingerprintJS stated, "Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user." 

They also posted a video demonstrating the type of data that the attack can disclose. The flaw was reported by FingerprintJS at the end of November, but Apple has yet to patch it. All of this is alarming, but there's not much one can do about it at the moment. Because a private tab can't see what's happening in any other tabs, whether private or public, browsing in Safari's Private mode can limit the potential damage. However, it isn't without flaws. 

"[I]f you visit multiple different websites within the same [private] tab, all databases these websites interact with are leaked to all subsequently visited websites," wrote FingerprintJS.

Switching from Safari to another browser can protect Mac users from the flaw, but iOS and iPadOS users are out of luck. While only Safari has been affected on Mac, Apple's requirement that both iOS and iPad web browsers utilize WebKit implies the IndexedDB flaw has affected all of these systems' browsers.
Read more »
Subscribe to: Posts (Atom)