Tag: chrome

Chrome

Chrome warning “These extensions may soon no longer be supported”

Posted on by Martin Brinkmann

Google is working on shutting down the old ruleset for Chrome browser extensions in favor of a new ruleset. The switch from Manifest V2 to Manifest V3 brings along with it a huge problem: extensions that are not updated will cease to work.

While no one has counted the extensions that rely on Manifest V2 in the Chrome Web Store, the count is likely in the thousands. Not all of the are actively maintained.

In addition, some extensions cannot be upgraded without loss of functionality. This is especially the case for content blockers.

Google, an advertising company first and foremost, does have a vetted interest in limiting content blockers. While there is no evidence that the company has made the decision to limit content blockers deliberately, it is clear that content blockers suffer under Manifest V3.

Chrome These extensions may soon no longer be supported

Soon, Chrome is warning users who have extensions installed that rely on Manifest V2. The browser lists extensions that won’t be supported by Chrome in the near future on the extensions page.

Google suggests to either remove the extensions entirely or to replace them with extensions from the Chrome Web Store that support Manifest V3.

Popular extensions such as uBlock Origin and even some of Google’s own are listed there as incompatible.

While there is a chance that some of these extensions will be updated to support Manifest V3, users of Chrome should not get their hopes up that this is the case for all extensions currently incompatible.

If you use Chrome, you can enable the deprecation warning right now in Chrome Canary.

  1. Load chrome://flags/#extension-manifest-v2-deprecation-warning in the Chrome address bar.
  2. Change the state to Enabled.
  3. Restart Google Chrome.
  4. Load chrome://extensions to see the list of unsupported extensions.

Google has revealed the following information about the deprecation of Manifest V2:

  • June 2024 — Manifest V2 extensions will be disabled in pre-stable versions of Chrome starting in Chrome 127. Manifest V2 extensions cannot be installed in Chrome anymore. Google will roll out the change gradually.
  • July 2024 or later — After monitoring the deprecation for at least a month, Google will roll out the deprecation to stable versions of Google Chrome.
  • June 2025 — Manifest V2 extensions cannot be installed anymore on Enterprise devices running Chrome.

The change will impact most Chromium-based browsers as well.

What about your extensions? Are some of them only available as Manifest V2 extensions?

Google fixes another 0-day exploit in Google Chrome

Posted on by Martin Brinkmann

Google has released quite a few security updates for its Chrome web browser in recent months. Besides the weekly scheduled security updates, Google has released updates to address 0-day vulnerabilities in Chrome.

Today, Google released another security update for Google Chrome to address a 0-day exploit. The issue affects all desktop versions of Chrome and Chrome for Android.

Chrome users may want to install the update immediately to fix the issue. Here is how that is done on desktop systems (there is no option to speed up the installation of Chrome updates on Android):

  • Load chrome://settings/help in the Chrome address bar.
  • Chrome displays the current version and runs a check for updates.

Updates will get installed automatically at this point, but you need to restart the browser manually to complete the update.

Chrome should return the following version after installation of the update:

  • Chrome for Windows and Mac: 125.0.6422.112 or 125.0.6422.113
  • Chrome Extended Stable for Windows or Mac: 124.0.6367.233
  • Chrome for Linux: 125.0.6422.112
  • Chrome for Android: 125.0.6422.112 or 125.0.6422.113

About the Chrome security vulnerability

The official release notes page lists basic information about the vulnerability only. It is CVE-2024-5274, a Type Confusion in V8 issue. Google has rated the vulnerability as high and notes that it is exploited in the wild.

V8 is the JavaScript and WebAssembly engine that Google Chrome uses.

In other words, systems with an outdated version of Chrome may be successfully attacked. It is unclear how the issue can be exploited, however.

The last update that fixed a 0-day vulnerability in Google Chrome was released just 2 weeks ago. It is the 8th 0-day exploit fix in Chrome in this year alone.

Enable Device Bound Session Credentials in Google Chrome

Posted on by Martin Brinkmann

Google is working on removing support for third-party cookies in Google Chrome. Cookies continue to be of use, for instance to save preference or as session cookies.

In an effort to make cookies more resilient to attacks, especially stealing, Google started to integrate Device Bound Session Credentials into Chromium.

The main idea here is to bind cookies to a specific device so that attackers who steal it cannot use them.

One of the main threats of cookie stealing is that malware actors may access accounts online without authentication.

Google explains how the feature works:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.

Note: the feature is still in a prototype stage in Chrome. Google said in April 2024 that it is experimenting with protecting Google accounts in Chrome Beta currently.

How to enable Device Bound Session Credentials in Chrome

Chrome Device Bound Session Credentials

Google Chrome users may enable the feature in their browser already. It is an experimental feature at this stage, which means that it needs to be enabled separately.

Device Bound Session Credentials

Enables Google session credentials binding to cryptographic keys that are practically impossible to extract from the user device. This will mostly prevent the usage of bound credentials outside of the user device. – Mac, Windows, Linux

Here is how that is done:

  1. Load chrome://flags/#enable-bound-session-credentials in the browser’s address bar.
  2. Change the status of the flag to enabled.
  3. Restart Google Chrome.

The security feature is enabled automatically at this point. You can revert the change at any time by changing the status to Default.

Chrome 124 0-day security update

Google fixes Chrome security issue that is exploited in the wild

Posted on by Martin Brinkmann

Just days after the weekly Google Chrome security update comes another security update for the web browser. This one unscheduled, as it fixes a 0-day security issue in Google Chrome that is exploited in the wild.

Google Chrome users should update the browser immediately to protect the browser and their data. Here is how that is done:

  • Open Google Chrome on a desktop system.
  • Select Menu > Help > About Google Chrome.

The browser displays the current version and runs a check for updates. It should pick up the security update and install it automatically.

Windows users may also launch a command prompt window and run winget upgrade Google.Chrome.EXE to update the browser to the latest version.

One of the following versions should be displayed by Chrome after installation of the update:

  • Chrome for Windows or Mac: 124.0.6367.201 or 124.0.6367.202
  • Chrome for Linux: 124.0.6367.201
  • Chrome Extended for Windows or Mac: 124.0.6367.201

The Chrome 0-day security issue: what we know

Google reveals little about the security issue on the official Chrome Releases website.

[N/A][339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07

Google is aware that an exploit for CVE-2024-4671 exists in the wild.

The security issue is rated high and it is a use after free in Visuals. It was reported to Google on May 7, 2024, which means that it could have been exploited at least since that date. It is unclear how this issue can be exploited.

Other Chromium-based web browsers are also affected by the issue. This means that browsers such as Microsoft Edge, Vivaldi, Brave, or Opera are all vulnerable until an update is released.

Expect updates for these browsers in the coming hours and days.

Chrome on Android does not seem to be affected by the issue, as Google has not published an update for the browser or made an announcement on the releases blog regarding the platform.

When do you update browsers?

How to create screenshots of a full webpage

Posted on by Martin Brinkmann

If you found great helpful content online, you may want to save it for safe keeping. Screenshots are one option to do that. There are others, including saving the entire webpage to the local system or using tools such as SingleFile.

All operating systems support the creation of screenshots natively. On Windows, you’d just use Ctrl-Print to capture a screenshot. These screen capturing options are useful, but they are not ideal when it comes to capturing entire webpages, as they only capture the visible part.

Browsers with native screenshot tools

Firefox Take Screenshot

Several web browsers include native screenshot tools. Here is a list and how you activate the built-in screenshot function:

  • Microsoft Edge — Open menu and select screenshot from the list of options. Pick capture full page next and use the save icon to download the screenshot of the webpage to your system.
  • Mozilla FirefoxRight-click anywhere on the page and select take screenshot from the menu. Select Save full page to create a screenshot of the entire webpage. It takes a moment before a preview is displayed. Use the download button to save it to the local system.
  • Opera — Select the snapshot icon in the address bar to create a screenshot. Activate the capture full webpage button to create a screenshot of the entire webpage. Options to edit the screenshot and save it to the local system are provided after a moment.
  • Vivaldi — Activate the camera icon in Vivaldi’s status bar to open the screenshot options. Select full page and then the capture button to save the screenshot to the local system.

Browsers that require an extension to take screenshots

Chrome capture full size screenshot
  • Google Chrome — You may use a browser extension such as GoFullPage or FireShot to capture entire pages.

Technically, Chrome supports capturing screenshots natively. The feature is available in the Developer Tools, which makes it difficult to access. Still, it may be an option if you do not want to install a browser extension for creating screenshots.

Here is how you use it:

  1. Open the webpage that you want to create a whole screenshot from.
  2. Use Ctrl-Shift-I to open the Developer Tools. On Mac, you use Command-Option-I. This opens the Developer Tools interface.
  3. Use Ctrl-Shift-P to open the run box. On Mac, you use Command-Shift-P instead.
  4. Type screenshot and select capture full size screenshot.
  5. Chrome saves the screenshot to the local system.

Bonus Tip: Android

Android capture full webpage

Android’s native screen capturing tool supports full webpage captures. You may know that you can take a screenshot of the visible screen by pressing the Power and Volume Down buttons at the same time.

Android displays several options afterwards. This includes a a “down” icon. Press it once and Android scrolls down a bit on the webpage and appends more to the screenshot automatically.

Tip: press and hold the icon until the end of the page is reached to create a full webpage screenshot.

Do you take screenshots of webpages? If so, how do you capture them and why? If not, do you use a different method to save information?

Limit: Set daily Time Limits for distracting websites in Chrome

Posted on by Martin Brinkmann

Browser extension Limit promises to keep you focused on important tasks by setting time limits for distracting websites.

We have all been there probably: you need to focus on “something” important on your electronic devices but are distracted all the time. Notifications, chat messages, a quick browse on YouTube, checking your social media feed, or something else. The Internet is full of distractions.

Not everyone has the focus of a Shaolin Monk who keep focused no matter what. Extensions like Limit promise to help you out.

Limit – daily time limits for distracting websites

Limit interface

Limit is a browser extension for Google Chrome and also other Chromium-based browsers. It worked well in Microsoft Edge, Brave, Opera, and Vivaldi during tests.

The core idea behind the extension is to set access limits for certain websites. In other words: you may access the sites for the set limit only on any given day.

The extension is developed by the makers of Freedom. Freedom is the big brother of Limit. It runs system-wide, which means that it can also block distracting apps on supported systems.

Limit comes with a list of preset sites. These include some of the worst offenders when it comes to distractions, including YouTube, Netflix, Reddit, and Facebook. These sites can be removed from the configuration.

There is also an option to add any website. Just open the Settings of the extension, type the domain name, e.g., chipp.in, and activate the “add website” button.

Limit Website Access

Limit displays a notification when a time-limited website is opened. It reminds you of the time limit. Hover over the extension icon in the browser’s interface to get detailed information on the time spent and time left.

Limit blocks access to the website once you reach the set time limit.

Limit reached

Caveats

Limit is provided as a browser extension. It works therefore only in select browsers. While that may be sufficient if you just need a little push in the right direction to remain focused, it is quite easy to bypass the limits.

Apart from changing the daily time limit for the site to get more play time, using another browser is also an option to bypass the restriction.

If that is not enough, there are plenty of additional options available. Access the site using its IP address, use a proxy service, or a screenshot service.

Obviously, since you are in control, you may also uninstall the extension at any time or disable it.

Closing Words

Limit’s main goal of reducing the time spent on distracting websites depends entirely on the user. If you just need a little push, it may work well to keep you focused. If you need a bulletproof option, Limit is not the right extension for you. Freedom might work better, but it is a subscription-based service.

Now You: how do you handle distractions while working?

Cookies

Cookie stealing may soon be a thing of the past

Posted on by Martin Brinkmann

Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.

To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.

Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.

A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.

Device Bound Session Credentials

As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.

Google explains:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.

Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.

Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.

Going forward

Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.

You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.

Notifications blocked

How to deal with Notifications in Google Chrome

Posted on by Martin Brinkmann

All modern web browsers support so-called push notifications. Websites may request permission to send notifications. When users accept, they may push notifications to the user’s system. Ideally, these are useful to the user. Maybe about a new post on the site, an auction running out, or about item availability in online stores.

Most of the time, at least from my experience, notifications are not that helpful for users. Sites may push lots of notifications to user systems. Abuse is rampant. Notifications may get abused for advertisement, scams, or malicious attacks.

While notifications contain no executable content, clicking on notifications may launch sites and thus attacks.

You can check out this recent story on Bleeping Computer for an example of attacks. The attack originated on Google Search and used notifications to push spam and malware.

One of the best options to deal with notifications is to disable them. This works well for users who never use them in the first place. Those who do use notifications on specific sites may also optimize their configuration.

The following paragraphs explain how that is done. Note that this applies to other Chromium-based browsers as well. All offer these options, and you may load the URL provided below to open the Settings.

Blocking Notifications in Chrome permanently

Disable notifications in Google Chrome

It takes just a few steps to block notifications in Google Chrome.

  1. Load chrome://settings/content/notifications in the Chrome address bar. You may also open Menu > Settings > Privacy & Security > Site settings > Notifications manually.
  2. Set the default behavior to “Don’t allow sites to send notifications”.

You are done. Chrome won’t send any notifications from this moment up. There is one exception, and this is handy to allow specific sites to send notifications while disallowing them from any other site.

Scroll down to the customized behaviors section. There you find overrides. Use the “allowed to send notifications” section to allow specific sites to send notifications to your system.

Chrome allow notifications

Activate the “add” button and type the domain name using the following format: [*.]domain.com.

This allows the domain to send notifications, even though the general setting is set to disabled.

Tip: you can also allow sites in the following way:

  • Open the site in the Chrome browser.
  • Click on the icon that is in front of the domain name in Chrome.
  • Select Site Settings from the menu.
  • Locate the Notifications preference and set it to “allow”.

Closing Words

My recommendation is to turn off Notifications and use the allow list for select sites only. This blocks all notification spam and any attempt to use notifications for malicious attacks. It also prevents less tech savvy users from accepting notifications on a regular basis in the browser.

Google

Google turns Safe Browsing real-time checks on in Chrome

Posted on by Martin Brinkmann

Announced last year, Google has now enabled real-time Safe Browsing checks in its Chrome web browser.

Safe Browsing is a security component of the Google Chrome web browser. Its main purpose is to warn users about malicious websites or downloads. This includes protections against known phishing websites and malware.

Google Chrome used a local list of known malicious sites by default previously. This list was updated every 30 to 60 minutes by the browser. This meant that there was a short period in which new known threats were not blocked by the browser.

Google calculated that “average malicious” sites exist for less than 10 minutes. In other words, a good portion of malicious sites do not exist anymore when Chrome updates the local Safe Browsing list.

Chrome users could switch the security setting to enhanced to get real-time checks. This new real-time checking of threats is now available in all Safe Browsing modes.

Safe Browsing changes

Chrome Safe Browsing

Google Chrome uses a Safe Browsing list on Google servers now to check any site that is getting opened against it. This improves the protection of users. Google estimates that this should improve the blocking of phishing attempts by 25%.

The change is rolling out to Chrome desktop users already. Android will also get the change “later this month” according to Google.

The option to enable Enhanced Protection is still available. This includes real-time checks as well, but also use of “AI to block attacks, provides deep file scans and offers extra protection from malicious Chrome extensions”.

What about privacy?

Google says that the new real-time nature of Safe Browsing checks is privacy-preserving.

Here is what happens in Chrome when a site is visited (according to Google):

  1. The cache is checked to see if the site is known to be safe already.
  2. If it is not in the cache, Chrome needs to check it against the remote Safe Browsing list.
  3. Chrome starts by obfuscating the URL locally into 32-byte full hashes.
  4. The hash is then truncated into 4-byte long chunks.
  5. These are encrypted by Google Chrome and transferred to a “privacy server”.
  6. The privacy server removes “potential user identifiers” before forwarding the encrypted hash chunks to the Safe Browsing server.
  7. There the data is decrypted and checked against the database.
  8. If a match is found, Chrome shows a warning to the user.

Google entered into a partnership with Fastly to “operate an Oblivious HTTP privacy server” that sits between the Chrome web browser and Safe Browsing.

The main idea behind Oblivious HTTP is to block the receiving server from linking requests to specific clients. Google published a blog post on the Chrome Security blog that offers additional information on the implementation in Chrome and server infrastructure.

Closing Words

Real-time checks should improve protection for users without impacting their privacy. Other browsers who also use Safe Browsing may not be affected by the change if they download Safe Browsing lists instead of using real-time checks.

Those who use Chrome but do not want these real-time checks can turn off Safe Browsing

Under New Management: Chrome extension checks if extension owner has changed

Posted on by Martin Brinkmann

Under New Management is a new extension for Google Chrome and Chromium-based browsers. Its main purpose is to notify users when the owner of installed extensions changes.

Here is why that is important: an entire ecosystem of companies exist that buy extensions to, usually, exploit the userbase and extract as much money as possible from it.

Popular extensions may sell for five or even six figures. This is mostly based on the userbase, but factors such as the rating, comments, or track record play a role as well.

When an extension gets sold, the new owners may implement money making functions. These cross borders often, for instance, by tracking users and selling data, or by changing ads on the screen or affiliate links.

The main problem for users is that ownership changes are not announced by the browser. It would be simple, but no browser does that at the moment.

Under New Management

Under New Management alert

Under New Management adds checks and notifications to Chrome and other Chromium-based browsers.

The developer describes how the extension works on its GitHub repository site:

Intermittenty checks your installed extensions to see if the developer information listed on the Chrome Web Store has changed. If anything is different, the extension icon will display a red badge, alerting you to the change.

The extension checks the Chrome Web Store for changes and warns users if it detects any.

It checks the following parameters:

  • Developer name
  • Developer website
  • Extension name
  • Offered by name
  • Developer email
  • Extension ID

If any of these change, it will notify you about it. All it takes is to install the extension in a Chromium-based browser.

Note: there is a chance that an extension may get sold but that the information is not changed.

Blocking automatic extension updates in Google Chrome

Another option that you have is to block automatic extension updates. Google Chrome and most Chromium-based browsers do not offer any Setting in this regard, however.

The idea here is to verify extension updates before allowing them.

As a side note, Mozilla Firefox does. Load about:addons in the browser’s address bar, activate the settings icon on the page and uncheck “pdate Add-ons Automatically” with a click on the entry.

Block automatic extension updates

Extensions won’t auto-update from that moment up, but you may still update them.

The only option for Chrome and most Chromium-based browsers is a bit complicated. It requires that you enable Developer Mode in the browser and load the extension in its unpacked state. Note that I have not tried this extensively.

Unpacked extensions do not get updated automatically, as they are loaded from the local system. It gives you control, but it means that you have to update these extensions manually each time.

Now You: how many and which extensions do you use?