• chevron_right

      Exploiting Mistyped URLs

      news.movim.eu / Schneier · Thursday, 13 June - 20:04 · 1 minute

    Interesting research: “ Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom Domains “:

    Abstract: Web users often follow hyperlinks hastily, expecting them to be correctly programmed. However, it is possible those links contain typos or other mistakes. By discovering active but erroneous hyperlinks, a malicious actor can spoof a website or service, impersonating the expected content and phishing private information. In “typosquatting,” misspellings of common domains are registered to exploit errors when users mistype a web address. Yet, no prior research has been dedicated to situations where the linking errors of web publishers (i.e. developers and content contributors) propagate to users. We hypothesize that these “hijackable hyperlinks” exist in large quantities with the potential to generate substantial traffic. Analyzing large-scale crawls of the web using high-performance computing, we show the web currently contains active links to more than 572,000 dot-com domains that have never been registered, what we term ‘phantom domains.’ Registering 51 of these, we see 88% of phantom domains exceeding the traffic of a control domain, with up to 10 times more visits. Our analysis shows that these links exist due to 17 common publisher error modes, with the phantom domains they point to free for anyone to purchase and exploit for under $20, representing a low barrier to entry for potential attackers.

    • chevron_right

      Facebook Is Now Encrypting Links to Prevent URL Stripping

      news.movim.eu / Schneier · Monday, 18 July, 2022 - 14:49

    Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

    Mozilla introduced support for URL stripping in Firefox 102 , which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes , but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

    Facebook has responded by encrypting the entire URL into a single ciphertext blob.

    Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

    • chevron_right

      New Browser De-anonymization Technique

      news.movim.eu / Schneier · Thursday, 14 July, 2022 - 14:31 · 1 minute

    Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another:

    The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

    When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.


    “Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

    • chevron_right

      New browser-tracking hack works even when you flush caches or go incognito

      Dan Goodin · news.movim.eu / ArsTechnica · Friday, 19 February, 2021 - 12:54

    New browser-tracking hack works even when you flush caches or go incognito

    Enlarge (credit: Getty Images)

    The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.

    The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmarks lists. Researchers from the University of Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies. Websites can abuse this arrangement by loading a series of favicons on visitors’ browsers that uniquely identify them over an extended period of time.

    Powerful tracking vector

    “Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” the researchers wrote. They continued:

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Chrome users have faced 3 security concerns over the past 24 hours

      Dan Goodin · news.movim.eu / ArsTechnica · Friday, 5 February, 2021 - 21:21

    Chrome users have faced 3 security concerns over the past 24 hours

    (credit: Chrome )

    Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome's sync feature to bypass firewalls. Let’s discuss them one by one.

    First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.

    Characteristically terse

    Google's official reason for the removal is characteristically terse. Messages displayed on devices that had the extension installed say only, “This extension contains malware” along with an indication that it has been removed. A Google spokesman declined to elaborate.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices

      Dan Goodin · news.movim.eu / ArsTechnica · Wednesday, 3 February, 2021 - 21:09

    Stylized illustration of Internet address bar.

    Enlarge (credit: Getty Images )

    In December, Ars reported that as many as 3 million people had been infected by Chrome and Edge browser extensions that stole personal data and redirected users to ad or phishing sites. Now, the researchers who discovered the scam have revealed the lengths the extension developers took to hide their nefarious deeds.

    As previously reported, the 28 extensions available in official Google and Microsoft repositories advertised themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. Behind the scenes, they also collected user’s birth dates, email addresses, and device information and redirected clicks and search results to malicious sites. Google and Microsoft eventually removed the extensions.

    Researchers from Prague-based Avast said on Wednesday that the extension developers employed a novel way to hide malicious traffic sent between infected devices and the command and control servers they connected to. Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      How To Enable Hardware Accelerated Video Decode In Google Chrome, Brave, Vivaldi And Opera Browsers On Debian, Ubuntu Or Linux Mint

      news.movim.eu / gadgeteerza-tech-blog · Saturday, 30 January, 2021 - 20:26

    Google Chrome 88 (and newer) has made hardware accelerated video decoding available on Linux, but it's not enabled by default. Google Chrome is not the only Chromium-based web browser to support hardware acceleration on Linux though. This article explains how to enable hardware-accelerated video decoding in Google Chrome, Brave, Vivaldi and Opera web browsers running on Debian, Ubuntu, Pop!_OS or Linux Mint (Xorg only).

    Using hardware-accelerated video decode in your web browser should result in using less CPU usage (and thus, less battery draining) when playing online videos.

    See https://www.linuxuprising.com/2021/01/how-to-enable-hardware-accelerated.html

    #technology #linux #browsers #tips

    • chevron_right

      Chrome and Edge want to help with that password problem of yours

      Dan Goodin · news.movim.eu / ArsTechnica · Friday, 22 January, 2021 - 12:45

    Please don

    Enlarge / Please don't do this. (credit: Getty Images)

    If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

    Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

    As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      Firefox v85 will improve its cache partitioning for stronger privacy

      Jim Salter · news.movim.eu / ArsTechnica · Tuesday, 22 December, 2020 - 21:19

    Breaking the browser cache up into separate pools prevents sophisticated timing probes that let one site know whether you

    Enlarge / Breaking the browser cache up into separate pools prevents sophisticated timing probes that let one site know whether you're logged into another. (credit: Mozilla / Jim Salter )

    Firefox version 85 will be released in January 2021, and one of its features is increased user privacy via improvements in client-side storage (cache) partitioning . This has been widely and incorrectly reported elsewhere as network partitioning, likely due to confusion around the privacy.partition.network_state flag in Firefox, which allows advanced users to enable or disable cache partitioning as desired.

    What is cache partitioning—and why might I want it?

    In a nutshell, cache partitioning is the process of keeping separate cache pools for separate websites, based on the site requesting the resources loaded, rather than simply on the site providing the resources.

    With a traditional, globally scoped browser cache, you might see behavior like this:

    Read 9 remaining paragraphs | Comments