Tag: chrome

Chrome

Report: Google sneaked in code in Chrome that is favoring Google

Posted on by Martin Brinkmann

A report suggests that Google has sneaked code into Chromium-based browsers that is favoring Google-owned properties. Browsers like Chrome, Brave, and Microsoft Edge appear affected.

If true, it would give critics of Google’s dominance in web browsing a mighty powerful argument.

Here are the details: Google Chrome and other Chromium-based browsers give *.google.com sites full access to system / tab CPU usage, GPU usage, memory usage, detailed processor information, and a logging backchannel.

Luca Casonato published information about this on X and Simon Willison published code that anyone may run to verify the claim.

Chrome returning information on google-owned properties
The information that Chrome reveals to Google when the code is run

Here is how that is done:

  1. Open Google Chrome on your system.
  2. Load https://www.google.com/ or any other *.google.com property.
  3. Select Menu > More Tools > Developer Console.
  4. Switch to the Console tab, if it is not active already.
  5. Type allow pasting.
  6. Paste the following code: chrome.runtime.sendMessage(‘nkeimhogjdpnpccoofpliimaahmaaome’, {method: ‘cpu.getInfo’}, response => {console.log(JSON.stringify(response, null, 2));});
  7. Press the Enter-key.

Chrome returns information when the code is run on a Google property. It returns an error message when you run it on any other site.

The code is accessible on the Chromium Code Search website. You can load it here and check it out yourself.

Casonato suggests that the exclusive feature is a violation of the Digital Markets Act as browser vendors “must give the same capabilities to everyone”.

Closing Words

It is unclear if and how Google is using the information. Casonato says that he does not believe that the company uses it for something malicious or invasive, such as fingerprinting.

Still, Google favoring Google in Chrome and Chromium-based browsers is giving critics of Google’s dominance in web browsing another reason why a browser monopoly or duopoly (if you consider Safari), is bad for users.

It is also interesting to note that other Chromium-based browsers have kept the code in their browsers. It is unclear why.

Which browser do you use mainly and why?

Google Chrome 126

Google Chrome 126 fixes 21 security issues

Posted on by Martin Brinkmann

Google released a new stable version of its Chrome web browser for all supported platforms. Chrome 126 is a security update first and foremost, but it makes non-security changes to the browser as well.

The security update is available already. Google rolls out these updates over the course of days and weeks. Most Chrome installations are updated automatically, thanks to the built-in updating system.

Desktop users may install the update quicker by opening Menu > Help > About Google Chrome. Chrome displays the installed version on the page that opens and runs a check for updates. The browser will download any new version it finds.

Chrome 126: the security fixes

Google mentions that it has fixed 21 unique security issues in Chrome 126. It lists only externally reported issues on the page. All of these are rated high or lower, and there does not seem to be a(nother) 0-day issue that is affecting the browser at this time.

The security issues rated high type confusion, use after free, heap buffer overflow, and inappropriate implementation issues.

The non-security changes of Chrome 126

Here is an overview of important non-security changes in the new Chrome release:

  • OCR-AI Reader for inaccessible PDF documents that creates a “built-in PDF screen reader”.
  • Beginning to switch to an out-of-process iframe architecture for the PDF viewer. This makes it simpler to add new features to it according to Google.
  • Reactive prefetch on desktop. The feature speeds up navigations and the loading of pages by using a Google-owned service to predict resources that should be prefetched.
  • Tab Group support on iPad.
  • Starting in Chrome 126, Chrome starts to directly support accessibility client software that uses Microsoft Windows’s UI Automation accessibility framework.
  • Search any text or image using Google Lens.

Developers may want to check out the Chrome Status website for development related changes.

Have you tried Google Chrome recently?

Google

Latest Chrome 125 security update fixes 11 unique issues

Posted on by Martin Brinkmann

Google has released a new security update for its Chrome web browser for all supported platforms. The update patches 11 unique security issues in the browser. It comes days after an out-of-bounds security update for Chrome to address a 0-day security vulnerability.

While the issues do not appear to be exploited at the time of writing, it is recommended to update Chrome immediately.

This is done by loading chrome://settings/help in the browser’s address bar or selecting Menu > Help > About Google Chrome manually.

Chrome lists the installed version and will download a new version that it finds automatically on desktop systems.

Pro Tip: open a command prompt window on Windows and run winget upgrade google.chrome.exe to update Chrome without opening it.

Chrome should display one of the following versions after installation of the update:

  • Chrome for Mac or Windows: 125.0.6422.141 or 125.0.6422.142
  • Chrome for Linux: 125.0.6422.141
  • Chrome Extended Channel for Mac or Windows: 124.0.6367.243
  • Chrome for Android: 125.0.6422.146 or 125.0.6422.147

The security fixes

Google lists seven of the eleven security issues that it fixed in the Chrome update on the official releases site.

All seven have a severity rating of high. Google does not publish information about security issues that it discovered internally. The severity of the four unmentioned security issues is unknown as a consequence.

Here is what Google reveals about the listed security issues:

  • [$7000][339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
  • [TBD][338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [TBD][338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
  • [TBD][339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
  • [TBD][339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
  • [TBD][339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11

The security issues affect several components of the browser, including APIs, keyboard inputs, media session, WebRTC, and Dawn. Dawn is an “open-source and cross-platform implementation of the WebGPU standard” according to Google Source.

Chrome

Chrome warning “These extensions may soon no longer be supported”

Posted on by Martin Brinkmann

Google is working on shutting down the old ruleset for Chrome browser extensions in favor of a new ruleset. The switch from Manifest V2 to Manifest V3 brings along with it a huge problem: extensions that are not updated will cease to work.

While no one has counted the extensions that rely on Manifest V2 in the Chrome Web Store, the count is likely in the thousands. Not all of the are actively maintained.

In addition, some extensions cannot be upgraded without loss of functionality. This is especially the case for content blockers.

Google, an advertising company first and foremost, does have a vetted interest in limiting content blockers. While there is no evidence that the company has made the decision to limit content blockers deliberately, it is clear that content blockers suffer under Manifest V3.

Chrome These extensions may soon no longer be supported

Soon, Chrome is warning users who have extensions installed that rely on Manifest V2. The browser lists extensions that won’t be supported by Chrome in the near future on the extensions page.

Google suggests to either remove the extensions entirely or to replace them with extensions from the Chrome Web Store that support Manifest V3.

Popular extensions such as uBlock Origin and even some of Google’s own are listed there as incompatible.

While there is a chance that some of these extensions will be updated to support Manifest V3, users of Chrome should not get their hopes up that this is the case for all extensions currently incompatible.

If you use Chrome, you can enable the deprecation warning right now in Chrome Canary.

  1. Load chrome://flags/#extension-manifest-v2-deprecation-warning in the Chrome address bar.
  2. Change the state to Enabled.
  3. Restart Google Chrome.
  4. Load chrome://extensions to see the list of unsupported extensions.

Google has revealed the following information about the deprecation of Manifest V2:

  • June 2024 — Manifest V2 extensions will be disabled in pre-stable versions of Chrome starting in Chrome 127. Manifest V2 extensions cannot be installed in Chrome anymore. Google will roll out the change gradually.
  • July 2024 or later — After monitoring the deprecation for at least a month, Google will roll out the deprecation to stable versions of Google Chrome.
  • June 2025 — Manifest V2 extensions cannot be installed anymore on Enterprise devices running Chrome.

The change will impact most Chromium-based browsers as well.

What about your extensions? Are some of them only available as Manifest V2 extensions?

Google fixes another 0-day exploit in Google Chrome

Posted on by Martin Brinkmann

Google has released quite a few security updates for its Chrome web browser in recent months. Besides the weekly scheduled security updates, Google has released updates to address 0-day vulnerabilities in Chrome.

Today, Google released another security update for Google Chrome to address a 0-day exploit. The issue affects all desktop versions of Chrome and Chrome for Android.

Chrome users may want to install the update immediately to fix the issue. Here is how that is done on desktop systems (there is no option to speed up the installation of Chrome updates on Android):

  • Load chrome://settings/help in the Chrome address bar.
  • Chrome displays the current version and runs a check for updates.

Updates will get installed automatically at this point, but you need to restart the browser manually to complete the update.

Chrome should return the following version after installation of the update:

  • Chrome for Windows and Mac: 125.0.6422.112 or 125.0.6422.113
  • Chrome Extended Stable for Windows or Mac: 124.0.6367.233
  • Chrome for Linux: 125.0.6422.112
  • Chrome for Android: 125.0.6422.112 or 125.0.6422.113

About the Chrome security vulnerability

The official release notes page lists basic information about the vulnerability only. It is CVE-2024-5274, a Type Confusion in V8 issue. Google has rated the vulnerability as high and notes that it is exploited in the wild.

V8 is the JavaScript and WebAssembly engine that Google Chrome uses.

In other words, systems with an outdated version of Chrome may be successfully attacked. It is unclear how the issue can be exploited, however.

The last update that fixed a 0-day vulnerability in Google Chrome was released just 2 weeks ago. It is the 8th 0-day exploit fix in Chrome in this year alone.

Enable Device Bound Session Credentials in Google Chrome

Posted on by Martin Brinkmann

Google is working on removing support for third-party cookies in Google Chrome. Cookies continue to be of use, for instance to save preference or as session cookies.

In an effort to make cookies more resilient to attacks, especially stealing, Google started to integrate Device Bound Session Credentials into Chromium.

The main idea here is to bind cookies to a specific device so that attackers who steal it cannot use them.

One of the main threats of cookie stealing is that malware actors may access accounts online without authentication.

Google explains how the feature works:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.

Note: the feature is still in a prototype stage in Chrome. Google said in April 2024 that it is experimenting with protecting Google accounts in Chrome Beta currently.

How to enable Device Bound Session Credentials in Chrome

Chrome Device Bound Session Credentials

Google Chrome users may enable the feature in their browser already. It is an experimental feature at this stage, which means that it needs to be enabled separately.

Device Bound Session Credentials

Enables Google session credentials binding to cryptographic keys that are practically impossible to extract from the user device. This will mostly prevent the usage of bound credentials outside of the user device. – Mac, Windows, Linux

Here is how that is done:

  1. Load chrome://flags/#enable-bound-session-credentials in the browser’s address bar.
  2. Change the status of the flag to enabled.
  3. Restart Google Chrome.

The security feature is enabled automatically at this point. You can revert the change at any time by changing the status to Default.

Chrome 124 0-day security update

Google fixes Chrome security issue that is exploited in the wild

Posted on by Martin Brinkmann

Just days after the weekly Google Chrome security update comes another security update for the web browser. This one unscheduled, as it fixes a 0-day security issue in Google Chrome that is exploited in the wild.

Google Chrome users should update the browser immediately to protect the browser and their data. Here is how that is done:

  • Open Google Chrome on a desktop system.
  • Select Menu > Help > About Google Chrome.

The browser displays the current version and runs a check for updates. It should pick up the security update and install it automatically.

Windows users may also launch a command prompt window and run winget upgrade Google.Chrome.EXE to update the browser to the latest version.

One of the following versions should be displayed by Chrome after installation of the update:

  • Chrome for Windows or Mac: 124.0.6367.201 or 124.0.6367.202
  • Chrome for Linux: 124.0.6367.201
  • Chrome Extended for Windows or Mac: 124.0.6367.201

The Chrome 0-day security issue: what we know

Google reveals little about the security issue on the official Chrome Releases website.

[N/A][339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07

Google is aware that an exploit for CVE-2024-4671 exists in the wild.

The security issue is rated high and it is a use after free in Visuals. It was reported to Google on May 7, 2024, which means that it could have been exploited at least since that date. It is unclear how this issue can be exploited.

Other Chromium-based web browsers are also affected by the issue. This means that browsers such as Microsoft Edge, Vivaldi, Brave, or Opera are all vulnerable until an update is released.

Expect updates for these browsers in the coming hours and days.

Chrome on Android does not seem to be affected by the issue, as Google has not published an update for the browser or made an announcement on the releases blog regarding the platform.

When do you update browsers?

How to create screenshots of a full webpage

Posted on by Martin Brinkmann

If you found great helpful content online, you may want to save it for safe keeping. Screenshots are one option to do that. There are others, including saving the entire webpage to the local system or using tools such as SingleFile.

All operating systems support the creation of screenshots natively. On Windows, you’d just use Ctrl-Print to capture a screenshot. These screen capturing options are useful, but they are not ideal when it comes to capturing entire webpages, as they only capture the visible part.

Browsers with native screenshot tools

Firefox Take Screenshot

Several web browsers include native screenshot tools. Here is a list and how you activate the built-in screenshot function:

  • Microsoft Edge — Open menu and select screenshot from the list of options. Pick capture full page next and use the save icon to download the screenshot of the webpage to your system.
  • Mozilla FirefoxRight-click anywhere on the page and select take screenshot from the menu. Select Save full page to create a screenshot of the entire webpage. It takes a moment before a preview is displayed. Use the download button to save it to the local system.
  • Opera — Select the snapshot icon in the address bar to create a screenshot. Activate the capture full webpage button to create a screenshot of the entire webpage. Options to edit the screenshot and save it to the local system are provided after a moment.
  • Vivaldi — Activate the camera icon in Vivaldi’s status bar to open the screenshot options. Select full page and then the capture button to save the screenshot to the local system.

Browsers that require an extension to take screenshots

Chrome capture full size screenshot
  • Google Chrome — You may use a browser extension such as GoFullPage or FireShot to capture entire pages.

Technically, Chrome supports capturing screenshots natively. The feature is available in the Developer Tools, which makes it difficult to access. Still, it may be an option if you do not want to install a browser extension for creating screenshots.

Here is how you use it:

  1. Open the webpage that you want to create a whole screenshot from.
  2. Use Ctrl-Shift-I to open the Developer Tools. On Mac, you use Command-Option-I. This opens the Developer Tools interface.
  3. Use Ctrl-Shift-P to open the run box. On Mac, you use Command-Shift-P instead.
  4. Type screenshot and select capture full size screenshot.
  5. Chrome saves the screenshot to the local system.

Bonus Tip: Android

Android capture full webpage

Android’s native screen capturing tool supports full webpage captures. You may know that you can take a screenshot of the visible screen by pressing the Power and Volume Down buttons at the same time.

Android displays several options afterwards. This includes a a “down” icon. Press it once and Android scrolls down a bit on the webpage and appends more to the screenshot automatically.

Tip: press and hold the icon until the end of the page is reached to create a full webpage screenshot.

Do you take screenshots of webpages? If so, how do you capture them and why? If not, do you use a different method to save information?

Limit: Set daily Time Limits for distracting websites in Chrome

Posted on by Martin Brinkmann

Browser extension Limit promises to keep you focused on important tasks by setting time limits for distracting websites.

We have all been there probably: you need to focus on “something” important on your electronic devices but are distracted all the time. Notifications, chat messages, a quick browse on YouTube, checking your social media feed, or something else. The Internet is full of distractions.

Not everyone has the focus of a Shaolin Monk who keep focused no matter what. Extensions like Limit promise to help you out.

Limit – daily time limits for distracting websites

Limit interface

Limit is a browser extension for Google Chrome and also other Chromium-based browsers. It worked well in Microsoft Edge, Brave, Opera, and Vivaldi during tests.

The core idea behind the extension is to set access limits for certain websites. In other words: you may access the sites for the set limit only on any given day.

The extension is developed by the makers of Freedom. Freedom is the big brother of Limit. It runs system-wide, which means that it can also block distracting apps on supported systems.

Limit comes with a list of preset sites. These include some of the worst offenders when it comes to distractions, including YouTube, Netflix, Reddit, and Facebook. These sites can be removed from the configuration.

There is also an option to add any website. Just open the Settings of the extension, type the domain name, e.g., chipp.in, and activate the “add website” button.

Limit Website Access

Limit displays a notification when a time-limited website is opened. It reminds you of the time limit. Hover over the extension icon in the browser’s interface to get detailed information on the time spent and time left.

Limit blocks access to the website once you reach the set time limit.

Limit reached

Caveats

Limit is provided as a browser extension. It works therefore only in select browsers. While that may be sufficient if you just need a little push in the right direction to remain focused, it is quite easy to bypass the limits.

Apart from changing the daily time limit for the site to get more play time, using another browser is also an option to bypass the restriction.

If that is not enough, there are plenty of additional options available. Access the site using its IP address, use a proxy service, or a screenshot service.

Obviously, since you are in control, you may also uninstall the extension at any time or disable it.

Closing Words

Limit’s main goal of reducing the time spent on distracting websites depends entirely on the user. If you just need a little push, it may work well to keep you focused. If you need a bulletproof option, Limit is not the right extension for you. Freedom might work better, but it is a subscription-based service.

Now You: how do you handle distractions while working?

Cookies

Cookie stealing may soon be a thing of the past

Posted on by Martin Brinkmann

Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.

To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.

Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.

A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.

Device Bound Session Credentials

As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.

Google explains:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.

Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.

Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.

Going forward

Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.

You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.