Martin Brinkmann writes via gHacks: From next year onward, extensions for Google Chrome and most other Chromium-based browsers, will have to rely on a new extension manifest. Manifest V3 defines the boundaries in which extensions may operate. Current Chromium extensions use Manifest V2 for the most part, even though the January 2023 deadline is looming over the heads of every extension developer. Google is using its might to push Manifest v3, and most Chromium-based browsers, including Microsoft Edge, will follow. [...]

Mozilla announced early on that it will support Manifest v3 as well, but that it would continue to support important APIs that Google limited in Manifest v3. Probably the most important of them all is the WebRequest API. Used by content blockers extensively to filter certain items, it has been replaced by a less powerful option in Manifest v3. While Manifest v3 does not mean the end for content blocking on Chrome, Edge and other Chromium-based browsers, it may limit abilities under certain circumstances. Users who install a single content blocker and no other extension that relies on the same relevant API may not notice much of a change, but those who like to add custom filter lists or use multiple extensions that rely on the API, may run into artificial limits set by Google.

Mozilla reaffirmed this week that its plan has not changed. In "These weeks in Firefox: issue 124," the organization confirms that it will support the WebRequst API of Manifest v2 alongside Manifest v3. Again, a reminder that Mozilla plans to continue support for the Manifest v2 blocking WebRequest API (this API powers, for example, uBlock Origin) while simultaneously supporting Manifest v3.

Framework and Google have announced the new Framework Laptop Chromebook Edition. As the name implies, this is an upgradable, customizable Chromebook from the same company that put out the Framework laptop last year. From a report: User-upgradable laptops are rare enough already, but user-upgradable Chromebooks are nigh unheard of. While the size of the audience for such a device may remain to be seen, it's certainly a step in the right direction for repairability in the laptop space as a whole. Multiple parts of the Framework are user-customizable, though it's not clear whether every part that's adjustable on the Windows Framework can be adjusted on the Chromebook as well. Each part has a QR code on it which, if scanned, brings up the purchase page for the part's replacement. Most excitingly (to me), the Chromebook Edition includes the same expansion card system as the Windows edition, meaning you can choose the ports you want and where to put them. I don't know of any other laptop, Windows or Chrome OS, where you can do this, and it's easily my personal favorite part of Framework's model. You can choose between USB-C, USB-A, microSD, HDMI, DisplayPort, Ethernet, high-speed storage, "and more," per the press release. HDMI, in particular, is a convenient option to have on a Chromebook.

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

An anonymous reader shares a report: Here's a fun new feature for Chrome for Android: fingerprint-protected Incognito tabs. 9to5Google discovered the feature in the Chrome 105 stable channel, though you'll have to dig deep into the settings to enable it at the moment. If you want to add a little more protection to your private browsing sessions, type "chrome://flags/#incognito-reauthentication-for-android" into the address bar and hit enter. After enabling the flag and restarting Chrome, you should see an option to "Lock Incognito tabs when you leave Chrome." If you leave your Incognito session and come back, an "unlock Incognito" screen will appear instead of your tabs, and you'll be asked for a fingerprint scan.

TechCrunch has learned and Google confirmed the company is slashing projects at its in-house R&D division known as Area 120. From the report: The company on Tuesday informed staff of a "reduction in force" which will see the incubator halved in size, as half the teams working on new product innovations heard their projects were being canceled. Previously, there were 14 projects housed in Area 120, and this has been cut down to just seven. Employees whose projects will not continue were told they'll need to find a new job within Google by the end of January 2023, or they'll be terminated. It's not clear that everyone will be able to do so. According to Area 120 lead Elias Roman, the division aims to sharpen its focus to only AI-first projects, as opposed to its earlier mandate to fuel product incubation across all of Google.

Over the years, the division has launched a number of successful products, including the HTML5 gaming platform GameSnacks, now integrated with Google Chrome; an AirTable rival called Tables which exited to Google Cloud; an A.I.-powered conversational ads platform AdLingo, which also exited to Cloud; video platforms Tangi and Shoploop, which exited to Google Search and Shopping, respectively; the web-based travel app Touring Bird, which exited to Commerce; and a technical interview platform Byteboard, a rare external spinout. One of the projects now being cut with the changes is Qaya, a service offering web storefronts for digital creators, launched late last year.

The other six projects being canceled weren't yet launched, but included a financial accounting project for Google Sheets, another shopping-related product, analytics for AR/VR, and, unfortunately, three climate-related projects. These latter projects had focused on EV car charging maps with routing, carbon accounting for I.T., and carbon measurement of forests. Google confirmed the changes in a statement to TechCrunch: "Area 120 is an in-house incubator for experimental new products. The group regularly starts and stops projects with an eye toward pursuing the most promising opportunities. We've recently shared that Area 120 will be shifting its focus to projects that build on Google's deep investment in AI and have the potential to solve important user problems. As a result, Area 120 is winding down several projects to make way for new work. Impacted team members will receive dedicated support as they explore new projects and opportunities at Google."

An anonymous reader quotes a report from Ars Technica: In a tweet posted this morning, artificial intelligence company Runway teased a new feature of its AI-powered web-based video editor that can edit video from written descriptions, often called "prompts." Runway's "Text to Video" demonstration reel shows a text input box that allows editing commands such as "import city street" (suggesting the video clip already existed) or "make it look more cinematic" (applying an effect). It depicts someone typing "remove object" and selecting a streetlight with a drawing tool that then disappears (from our testing, Runway can already perform a similar effect using its "inpainting" tool, with mixed results). The promotional video also showcases what looks like still-image text-to-image generation similar to Stable Diffusion (note that the video does not depict any of these generated scenes in motion) and demonstrates text overlay, character masking (using its "Green Screen" feature, also already present in Runway), and more.

Video generation promises aside, what seems most novel about Runway's Text to Video announcement is the text-based command interface. Whether video editors will want to work with natural language prompts in the future remains to be seen, but the demonstration shows that people in the video production industry are actively working toward a future in which synthesizing or editing video is as easy as writing a command. [...] Runway is available as a web-based commercial product that runs in the Google Chrome browser for a monthly fee, which includes cloud storage for about $35 per year. But the Text to Video feature is in closed "Early Access" testing, and you can sign up for the waitlist on Runway's website.

Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw, the sixth Chrome zero-day exploited in attacks patched this year. From a report: "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company said in a security advisory published on Friday. This new version is rolling out in the Stable Desktop channel, with Google saying that it will reach the entire user base within a matter of days or weeks. It was available immediately when BleepingComputer checked for new updates by going into the Chrome menu > Help > About Google Chrome. The web browser will also auto-check for new updates and automatically install them after the next launch.

Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....
Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users' browsing history and inserting tracking code into specific ecommerce sites they visited. ArsTechnica: The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites. The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased. To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection.

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

Google is trying "to make it easier for developers to create Android apps that connect in some way across a range of devices," reports the Verge. Documentation for the software development kit says it will simplify development for "multi-device experiences."

"The Cross device SDK is open-source and will be available for different Android surfaces and non-Android ecosystem devices (Chrome OS, Windows, iOS)," explains the documentation, though the current developer preview only works with Android phones and tablets, according to the Verge.

But they report that Google's new SDK "contains the tools developers need to make their apps play nice across Android devices, and, eventually non-Android phones, tablets, TVs, cars, and more." The SDK is supposed to let developers do three key things with their apps: discover nearby devices, establish secure connections between devices, and host an app's experience across multiple devices. According to Google, its cross-device SDK uses Wi-Fi, Bluetooth, and ultra-wideband to deliver multi-device connectivity.... [I]t could let multiple users on separate devices choose items from a menu when creating a group food order, saving you from passing your phone around the room. It could also let you pick up where you left off in an article when swapping from your phone to a tablet, or even allow the passengers in a car to share a specific map location with the vehicle's navigation system.

It almost sounds like an expansion of Nearby Share, which enables users on Android to transfer files to devices that use Chrome OS and other Androids. In April, Esper's Mishaal Rahman spotted an upcoming Nearby Share update that could let you quickly share files across the devices that you're signed into Google with. Google also said during a CES 2022 keynote that it will bring Nearby Share to Windows devices later this year.
"This SDK abstracts away the intricacies involved with working with device discovery, authentication, and connection protocols," argues Google's blog post, "allowing you to focus on what matters most — building delightful user experiences and connecting these experiences across a variety of form factors and platforms."

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

Nvidia is upgrading its GeForce Now game streaming service to support 1440p resolution at 120fps in a Chrome or Edge browser. GeForce Now members on the RTX 3080 tier of the service will be able to access the new browser gameplay options today by selecting 1440p on the GeForce Now web version. From a report: Nvidia originally launched its RTX 3080 GeForce Now membership tier last year, offering streams of up to 1440p resolution with 120fps on PCs and Macs or 4K HDR at 60fps on Nvidia's Shield TV. Previously, you had to download the dedicated Mac or Windows apps to access 1440p resolution and 120fps support, as the web version was limited to 1080p at 60fps.

ChromeOS 104 is rolling out starting today with several big interface updates that improve how you use the operating system. 9to5Google reports: ChromeOS 104 introduces proper dark and light themes that touch every aspect of the user interface. This includes the shelf, app launcher, Files app, and the backgrounds of various settings pages. You can enable the dark theme from the second page of Quick Settings. Google also created wallpapers that "subtly shift from light to dark," depending on the set theme. After updating, you'll notice that the month and day now appear to the left of the time in the shelf. Tapping opens a monthly calendar with the ability to tap a day to see all events, with an additional click opening the Google Calendar PWA. You can see other months and quickly return to "Today." This takes up the same size as Quick Settings, while any available alerts appear just above. Notifications from the same sender are now grouped together, while there are bigger touch targets for alert actions.

The redesigned Launcher that's more compact and does not take up your entire screen is seeing wider availability. Additionally, some might be able to quickly search for Android apps from the Play Store with an inline rating. Version 104 of ChromeOS introduces a more full-featured Gallery app (with a new purple icon) that can open PDFs with the ability to fill out forms, sign documents, and make text annotations, like highlights. There's also a new Wallpaper & style application that's accessed by right-clicking the shelf and selecting the last option. Besides the collections curated by Google, you can set wallpapers from your Google Photos library. There's the ability to select an album and have a new background appear daily. This experience also lets you set the device theme (auto-switching available), and Screen saver with three styles available: Slide show, Feel the breeze, and Float on by.

An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.

Google was originally planning to get rid of third-party cookies in its browser by 2022, but that was later pushed back to 2023. That cookies deadline for Chrome is now being delayed to 2024. From a report: The Privacy Sandbox is Google's initiative to replace third-party cookies -- as well as cross-site tracking identifiers, fingerprinting, and other covert techniques -- once privacy-conscious alternatives are in place. Since then, Google has been working on new technologies for the past few years and more recently released trials in Chrome for developers to test. Citing "consistent feedback" from partners, Google is "expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome," with that phase out now set to begin in the second half of 2024.

"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

In an upcoming update, Chromebooks equipped with mobile data will be able to serve as a Wi-Fi hotspot for other devices, just like Android and iOS devices can today. 9to5Google reports: The work-in-progress feature has made its first appearance in ChromeOS code in the form of a new flag coming to chrome://flags. The details are quite slim at the moment, with little more than the flag description available today. That said, it's easy to imagine how a mobile hotspot would work on ChromeOS, based on how the same feature works on Android phones today.

Presumably, you would be able to choose the name and password for your Chromebook's hotspot through the Settings app in ChromeOS, where you can also toggle the hotspot on and off. If it truly follows the example of Android, there would also be an easy way to turn on your hotspot through a Quick Settings toggle.

Denmark is effectively banning Google's services in schools, after officials in the municipality of Helsingor were last year ordered to carry out a risk assessment around the processing of personal data by Google. TechCrunch reports: In a verdict published last week, Denmark's data protection agency, Datatilsynet, revealed that data processing involving students using Google's cloud-based Workspace software suite -- which includes Gmail, Google Docs, Calendar and Google Drive -- "does not meet the requirements" of the European Union's GDPR data privacy regulations. Specifically, the authority found that the data processor agreement -- or Google's terms and conditions -- seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google's EU data centers.

Google's Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingor for the risk assessment after the municipality reported a "breach of personal data security" back in 2020. While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will "probably apply to other municipalities" that use Google Chromebooks and Workspace. It added that it expects these other municipalities "to take relevant steps" off the back of the decision it reached in Helsingor. The ban is effective immediately, but Helsingor has until August 3 to delete user data. A Google spokesperson told TechCrunch in a statement: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.

Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."