Category: Security & Privacy

Google fixes another 0-day vulnerability in Chrome, advises to update asap

Posted on by Martin Brinkmann

If you have installed Google Chrome on one of your devices, then you may want to start the browser’s update engine immediately to update it to the latest version.

Google released a new version of Chrome for desktop and Android to fix a 0-day vulnerability in the browser. This one is exploited in the wild, which means that there is a chance that the issue may be exploited when you run older versions of the Google browser.

The official release notes list CVE-2025-6554 as a type confusion issue in V8, the JavaScript engine that Google Chrome uses. A type confusion vulnerability exploits a flaw in software where a program mistakes a specific type of data for another. This can lead to unexpected behavior, which threat actors may exploit in attacks.

Google mentions that the issue was reported by Clรฉment Lecigne of Google’s Threat Analysis Group on June 25th, 2025. Google says that it mitigated the issue a day later by pushing a configuration change to the stable channel of the browser across all platforms.

This suggests that most devices — all that received the configuration change — are protected from attacks targeting the vulnerability. Still, it is recommended to update the browser immediately.

Desktop users, those who run Google Chrome on Windows, Mac, or Linux devices may select Menu > Help > About Google Chrome to do so. Chrome runs a check for updates and will install the new version automatically. Note that a restart of the browser is necessary to complete the process.

Tip: Windows users may also run winget upgrade google.chrome.exe in Terminal to upgrade the browser to the new version without first starting it.

Android users are not so lucky. The update depends on Google Play in that case, and that may take a while. There is no option to speed up the installation of the mobile browser on Android, if installed via Google Play.

Windscribe: Google is blocking our extension update because of “too many privacy features”

Posted on by Martin Brinkmann

Windscribe is a popular VPN solution thanks to its free version, privacy features, and interesting build a plan feature. Windscribe users may install the official extension to integrate the VPN better into Google Chrome and other Chromium-based browsers, and get several privacy features on top.

The extension adds features such as ad blocking, webRTC blocking, cookie-banner hiding, and much more.

This just happened: The developers confirmed on X that Google is blocking the latest extension update from its Chrome Web Store.

The provided screenshot shows that Google claims that the extension does not comply with the “Single Use” policy for Chrome extensions.

Good to know: The Single Purpose Policy requires that extensions focus on one specific function or theme. Google says that this improves the user experience.

The posted screenshot of the Google email shows that Google claims that the “extension is providing multiple unrelated functionalities”, such as “masking physical location”, “circumventing censorship”, and “blocking ads and trackers”.

Google is asking the developers of the extension to modify it, so that it offers a “narrowly-focused single functionality”.

Windscribe appealed Google’s objection to no avail. As it stands, Windscribe is blocked from updating its extension on the Chrome Web Store.

Tip: you can check out the Windscribe extension for Firefox, which does not have any of these issues.

This is not the first time that legitimate popular extensions have issues with the update process on the Chrome Web Store. Google’s Store is the default location for most Chromium-based browsers when it comes to extensions.

Several browsers, including Brave, do not operate their own extensions store. While some do, Microsoft with Edge or Opera with its Opera Web Browser, the majority relies on extensions from the Chrome Web Store. Even the two mentioned browsers have limited extensions listed in their respective stores.

As for Windscribe, it will be interesting to see how this works out for the company. Usually, public attention is required to get Google to look deeper into the matter and change its stance on a violation.

Firefox

Mozilla should test Firefox with best-in-class ad blocker and privacy

Posted on by Martin Brinkmann

The future looks quite grim for Mozilla and its Firefox web browser. The average monthly user count continues to drop while the browser of its ex-CEO is reporting new heights regularly. Then there is the looming death of Google and its impact on Mozilla’s finances to consider.

Mozilla’s reaction came as a surprise. It started to add features that users requested for years. Firefox supports vertical tabs now, tab groups, and a lot more.

It also took a look at its assets to figure out what to keep and what to terminate. This resulted in the termination of recent acquisitions, such as Fakespot, and long-standing staples, such as Pocket.

While these help free up resources and reduce expenses, it is likely that they won’t prevent the Mozilla-ship from capsizing, if things take a turn for the worse.

What to do? Here is an idea!

Why is Brave gaining users and Firefox losing them? You could say that it is all because of the different underlying platforms that the browsers use. Brave, after all, uses the same core as Google Chrome. Firefox uses Mozilla’s own engine. It has advantages, as it gives Mozilla full control over the engine. However, all development weight is on Mozilla whereas Brave and others reap what (mostly) Google developers and others work on.

It would be shortsighted to focus solely on this. Brave includes a content blocker by default. It also includes lots of privacy enhancements. While some criticize the browser for its integration of crypto-stuff, the combination of Chromium with its integrated content blocker works really well most of the time.

Firefox users can install uBlock Origin or another content blocker, but they have to do so manually.

Why is not Mozilla integrating its own content blocker or establishing a partnership with Raymond Hill, the creator of uBlock Origin? Mozilla never revealed the answer, but the most likely answer is because of its search deal with Google.

An ad blocker would prevent Google ads from showing up. Google would rightfully so want to pay less to Mozilla, as it would not make enough revenue anymore to justify the price that it pays Mozilla each year.

But what about running a test? Create a special version of Firefox. Install an ad-blocker and enable it by default. Distribute it, maybe ask for donations in the same way that the Thunderbird team is asking for them.

See how it goes. Just make sure that privacy is excellent for users, that they won’t see any sponsored content or other paid content in Firefox, and that their privacy is always valued more than anything else.

It might work. Users might pick Firefox as it would keep them safe and private while using the browser. It might not work, but Mozilla would at least tried something.

Now You: do you use Firefox or another browser? Let me know in the comments below.

Reddit

Reddit is rolling out options to hide posts and comments on your profile page

Posted on by Martin Brinkmann

Reddit users will soon have an option to keep their interactions on the social site private. The company is rolling out a new feature that enables users to hide posts and comments that they made on the site on their profile page.

Currently, all posts and comments show up when the page is opened. Anyone who opens the link to the profile, which always begins with https://www.reddit.com/user/ followed by the username, sees all posts and comments by that user in chronological order.

Some content on the page, including saved posts on Reddit or votes, are kept private.

Reddit users have the following options going forward:

  • Hide all posts and comments.
  • Hide posts and comments selectively per community.
  • Show all posts and comments (default).

Furthermore, there will be additional options. Users who interact with NSFW (Not Safe For Work) content on Reddit may block this content from showing up in their profile directly. Also, the follower count can be hidden as well.

This may look like a small change for Reddit users who do not post to the site. Those who do know that their profiles are in the open and so is their entire post and commenting history.

Giving users an option to lock this down is appreciated, as it blocks potential abuse, e.g., creation of profiles or harassment. It may be especially useful to users who interact with SFW (Safe For Work) and NSFW content on the site, and do not want the SFW crowd to know about their NSFW side, or the other way round.

Now You: do you have a Reddit account? What is your take on the direction the site is heading to since its IPO? Feel free to leave a comment down below.

New AI Tool creates dossiers of users based on YouTube comments

Posted on by Martin Brinkmann

Many sites support comments. You can leave a comment under videos, articles, or in forums to add your take on something, add something that you think is missing, or, most likely, to correct the original author.

Using public comments or posts is not a new invention. In fact, it goes all the way back to the beginning days of the Internet.

Now, with the rise of new AI tools and capabilities, come tools that take this to a new level.

A report by 404 Media (paywalled) offers insights into YouTube-Tools, a new paid service that uses AI to create reports about any commenter on YouTube. The service is available for $20 per month according to the report.

Subscribers may then point the tool to the comment of any YouTuber on the site to order a detailed report about that user. The AI tool analyses the comment and other posts on the site to reveal information about the geographic location, political leanings or spoken languages.

The developer of the tool notes that it has access to a database containing information about 1.4 billion YouTube users and over 20 billion comments. While the total number of comments on YouTube is not public knowledge, YouTube has almost double the number of users according to 404 Media.

Regardless, advancements in AI pave the way for a new breed of tools that will be used for tracking and the invasion of privacy.

Internet users should be careful when they leave comments, messages or posts that are publicly accessible, especially when that comment might reveal something about them that they would not want to be linked back to them.

Google fixes a 0-day exploit in its Chrome browser that is exploited in the wild

Posted on by Martin Brinkmann

Google released a new security update for its Chrome web browser that fixes three security issues, including one that is exploited in the wild.

The security issue affects the desktop versions of Google Chrome and the Android version. Desktop users may select Menu > Help > About Google Chrome to install the security update immediately. Google says that it may take days or even weeks before updates may be installed automatically on systems running Google Chrome.

Google reveals basic information about two of the three vulnerabilities. The vulnerability that is exploited in the wild is CVE-2025-5419. It is an out of bounds read and write vulnerability in Chrome’s JavaScript engine that is rated high.

Google reveals that it mitigated the issue on May 28th already. It released a configuration change on the day that it “pushed out to Stable across all Chrome platforms”. Many systems running Chrome should have received the update on that day or the following days already.

Google confirmed that the security issue is exploited in the wild, but did not reveal additional information at the time. The scope of the attack and the attack vector are unknown because of this. Google limits access to security information, including information about patched security issues, to avoid giving malware groups and developers additional hints about the issue.

Chrome users may display the current version of the web browser by loading chrome://settings/help on desktop systems. Google displays on the page if Chrome is up to date.

Chrome 137 Security update

The following versions should be displayed after installation of the update.

  • Chrome for Windows or Mac: 137.0.7151.68 or 137.0.7151.69
  • Chrome for Linux: 137.0.7151.68
  • Chrome for Android: 137.0.7151.72

Android users can’t speed up the installation of the update.

Now You: do you use Chrome or have the browser installed? Feel free to leave a comment down below.

Google Search

Chrome 136 update patches security issue that is exploited in the wild

Posted on by Martin Brinkmann

Google released a security update for its Chrome web browser for the desktop and Android that fixes several security issue. One of the issues is rated high and already exploited on the Internet according to Google.

The details:

  • The update is available for Chrome on Windows, Linux, Mac, and Android.
  • It includes fixes for four security issues in total.
  • The update is a point update for Chrome 136.

The security update changes the version of the Chrome web browser to the following versions:

  • Windows and Mac: 136.0.7103.113 or 136.0.7103.114
  • Linux:ย 136.0.7103.113
  • Android: 136.0.7103.125

Google lists just two of the fixed security issues on the official Chrome Releases blog. One of them is CVE-2025-4664, which is rated high and described as a “insufficient policy enforcement in loader” security issue.

Malicious users may exploit the issue to “leak cross-origin data via a crafted HTML page”. Google notes that it is aware of exploits in the wild, but does not provide additional information on the scope of the attacks.

Chrome users are encouraged to update their browser immediately to protect their data against potential attacks targetting the vulnerability.

Desktop users may select Menu > Help > About Google Chrome to run a check for updates. This should pick up the latest version and install it on the device. Android users can’t speed up the installation of the update unfortunately.

It is possible that other Chromium-based browsers are also affected by the issue. Expect security updates for these browsers in the coming hours and days as well.

Malicious Captchas are on the rise

Posted on by Martin Brinkmann

Captchas can be quite annoying, especially if your input is not accepted or if they do not work at all. You may now add malicious captchas to the list of annoyances.

Proton Mail published one example on X recently.

The malicious captcha tries to convince unsuspecting users to run a command on their Windows machines.

Here is how it works:

  1. The victim lands on a page with the fake captcha, for instance after clicking on a link in an email or chat.
  2. The captcha displays the usual “I’m not a robot” button.
  3. A click or tap on the button copies a PowerShell command to the operating system’s clipboard.
  4. Victim is instructed to use the shortcut Windows-R to open a run box.
  5. Asked to use Ctrl-V to paste the command and to press Enter to execute it.

Doing so downloads malware from a server on the Internet and runs it on the user’s system. This can be infostealers, malicious software that steals personal information, such as logins, financial documents, or photos.

While most, or even all, experienced users may never fall for that, it is almost a given that inexperienced users may. They may have difficulties getting the run box to open or paste the command, but they probably do not suspect foul play.

How to protect yourself

Protection is quite easy.

No legitimate captcha will ever ask you to execute a command on a local system, or to download a file and run it.

That is pretty much all that you need to protect yourself and your data against this type of attack.

Clearly, you may also want to ask yourself whether you trust the site you are on. Even if you conclude that you do, you should not run anything on the local computer when prompted to do so by a captcha.

Now You: how do you handle captchas on the Internet?

About Alphonso: a technology that captures audio samples on mobile devices using the built-in microphone

Posted on by Martin Brinkmann

For advertisers, it may seem like the perfect fit. Integrate a technology into mobile apps, games for the most part, that identifies ads playing on television to push similar ads on mobile, even if the mobile is not used actively.

News about such a system comes just days after LG announced the integration of AI into its televisions to determine the emotions and beliefs of viewers.

The startup Alphonso has apparently created the technology and it is already being used in hundreds of apps and games, some of which are available on Google Play or the Apple App Store.

It works by capturing audio samples using the device’s microphone. These are turned into hashes on the user’s device before they are submitted to a remote server. The hashes are checked against a database of hashes of television ad sound samples to find matches.

A report by The New York Times — you need an account to read it, or archive.is — has additional details.

  • Sound can be recorded even if the mobile phone is in a pocket or if the apps are running in the background.
  • Some of the apps are clearly aimed at children (Alphonso told the NYT that it did not approve of that).

Alphonso told the New York Times that the entire process is highlighted in the application’s description and in the privacy policy. Users need to accept these before the technology can start recording anything.

While technically correct, it is clear that many users do not read the description or privacy policy before hitting the install button in the mobile app stores.

The only way to prevent giving your okay to the recording of audio is to read the description and privacy policy carefully before hitting the install button. A search for Alphonoso may be the quickest option in this regard.

Tor Browser 14.5 brings Connection Assist feature to Android

Posted on by Martin Brinkmann

The developers of the anonymizer Tor Browser have released a new version for all supported operating system. The big feature in this release is the introduction of Connection Assist on Android.

The feature, which has been available in Tor Browser for desktop operating systems for quite some time, aims to help users establish a connection to the Tor network if regular connection attempts do not work.

So, if connecting to Tor fails in the browser, for example when you try to connect from a country that blocks this, then Connection Assist kicks in. It uses so-called bridges to establish a connection. Bridges use different techniques to circumvent censorship.

Android users could use bridges previously, but it was not that comfortable to configure and use.

The new feature integrates the functionality seamlessly into the Android client, making it a much better experience for users who require these.

All users should benefit from “more stable and less error-prone connections” as well, according to the release announcement.

Tor Browser 14.5 includes support three new languages as well. These are Belarusian, Bulgarian, and Portuguese (Portugal) and available in the desktop and Android clients.

Tip: Languages can be set under Settings > General > Language and Appearance > Language on desktop or Settings > General > Language on Android.

Here are other noteworthy changes:

  • Tor logs on desktop have been “enhanced to aid readability”. Also, no longer necessary to close and reopen to refresh logs.
  • Quitting Tor Browser on Android does now a “thorough job of ending background processes and clearing recent tasks”.
  • Improvements to the Connection Assist logic in general.

Tor Browser 14.5 includes several known issues which you find listed on the official issues tracker. Make sure you pay the page a visit before upgrading or installing the new version of the web browser.

You can check out the full release notes here.