Debian Linux Security Advisory 5802-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5802-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 03, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-10487 CVE-2024-10488Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.91-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcoAE8ACgkQZF0CR8NudjeqxQ/9Ez3gP1lKx7QLfaDgGC2gM4hvIArxdDqZoYA51dyoESodokmzVQeJ15uyUhMWs1j46/vpXpPiUv7GJnk4ib8fqw7Ybb2AEY/bJh/TkL9iTTrTbax4I2U8wV/P/QPs/vz/cgLmGP/SwzbRIkudQb9eJZbArC5a0T78wtjb+miOkvC3JDuOSpThuVpk59H4ppXRNht9XV1BlCz8kgtQuR01EMYP0+hochN6h/XzBD9YgZ2BDwltEpMjDzOaqH4la1WmgKgPwovFF0hZXVz4ttxN8elhkS6V8B9tYX0QihEudKe6iAcmzaAGKH+U7mPTacBps3xt5SPTGHwBCJ7uhsDNwePp2Pe0Xq7coKIicFLq9qKeUDipq4PVWD6UzKZ5+UVhoLBayzlBe/3HSmRbBjWsBnQY5ntOAzqK3Q2/m6JhA7PzFFO43UzhVi70wXGZwhDZqeCVEzXUB3xwmzD7vib8rBCBm08Zr73wHWDsq6kbnYDvf1KPlXNio2OS2NlIcBM6AjQgZg5U+4m4EPNSsONSbU9OtEtvVBuWbFISPVCTRFFb2JPK4XGzQ+tdipfZJ3qmhU39IL2NqGncMoZnwTB1w/HutIBwNb6yA8MBvzARLcb3pi3tstg0Yc754a9W6D534BcYiTPcWlgxd+La5RZs+oWvHJ2LKS1saDQ662G8r5A==sXh5-----END PGP SIGNATURE-----

Debian Security Advisory 5802-1

When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that’s fueling some of the biggest breaches on the planet.

On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

“We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

**The Stealers**

The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

“Malware developers and their clients have realized that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media. Infostealer creators pivoted to capture this information too, she said. In essence, the exhaust from cryptocurrency-focused heists has created an entire new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.

Some stealers then sell these collected credentials and cookies, or logs, themselves via bots on Telegram. Telegram, rather than acting as simply a messaging app, provides critical infrastructure for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots. Telegram did not respond to a request for comment.

Infostealers are not especially hard to write, but the malware developers constantly butt heads with engineers inside tech giants, such as Google, who are trying to stop them from stealing users’ credentials.

In July, for example, Google Chrome rolled out an update that was designed to lock applications other than Chrome—including malware—from accessing cookie data. For a moment, Chrome had the upper hand. LummaC2 gave its users some workarounds, but none were a reliable fix. Some malware developers make their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeFuckNewCookies” in their malware’s code.

“It's a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive,” Will Harris, staff software engineer on Google Chrome, said. “We want to protect users, obviously, as much as we can.” That doesn’t just come in securing Chrome itself and protecting more data from infostealers. It also includes “disruption,” such as more researchers writing about infostealers’ particular techniques, which in turn constrains the tools available to the malware developers. Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time.

After one update, a lot of the customers of a stealer were “extremely upset, and they \[the malware makers\] had to work nights on coming up with a bypass,” Harris said. He added that one stealer, called Vidar, increased the cost of its tool too. “We have to stay agile here. I mean the infostealers are moving fast on this as well, and we want to be keeping up with them, and I think we are able to in this case,” he said.

He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

In an email, a Microsoft spokesperson said, “In addition to the hardware-backed baseline requirements for all Windows PCs—such as, TPM, Secure Boot, and virtualization-based security, there are many security features now enabled by default in Win11 which makes it more difficult for info-stealers. Our guidance is that users should run as Standard User and not Admin on their Windows device. Running standard user means users (and apps being used by users) can make changes to their computer but do not have full system access by default, so that info stealers will not have the full access required to make it easy to steal the data that they are after.”

Infostealer malware for Mac does exist, but to a much smaller degree, according to Recorded Future.

A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

**The Traffers**

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-paneled floors, and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armor looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs, or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

**The Channels and Sites**

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many U.S. logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organization. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection—a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

A list of topics we covered in the week of October 28 to November 3 of 2024

November 1, 2024 - Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

October 31, 2024 - Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

October 30, 2024 - Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

October 29, 2024 - Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to stay away from them.

 A week in security (October 28 &#8211; November 3) 

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

130.0.2849.68

10/31/2024

130.0.6723.91/.92

CVE-2024-10488: Chromium: CVE-2024-10488 Use after free in WebRTC

CVE-2024-10487: Chromium: CVE-2024-10487: Out of bounds write in Dawn

Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations.
The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy,

Ransomware / Threat Intelligence

Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations.

The activity, observed between May and September 2024, has been attributed to a threat actor tracked as **Jumpy Pisces**, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.

"We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group," Palo Alto Networks Unit 42 said in a new report published today.

"This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network."

Andariel, active since at least 2009, is affiliated with North Korea's Reconnaissance General Bureau (RGB). It has been previously observed deploying two other ransomware strains known as SHATTEREDGLASS and Maui.

Earlier this month, Symantec, part of Broadcom, noted that three different organizations in the U.S. were targeted by the state-sponsored hacking crew in August 2024 as part of a likely financially motivated attack, even though no ransomware was deployed on their networks.

Play, on the other hand, is a ransomware operation that's believed to have impacted approximately 300 organizations as of October 2023. It is also known as Balloonfly, Fiddling Scorpius, and PlayCrypt.

While cybersecurity firm Adlumin revealed late last year that the operation may have transitioned to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web data leak site that it's not the case.

In the incident investigated by Unit 42, Andariel is believed to gained initial access via a compromised user account in May 2024, followed by undertaking lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor called Dtrack (aka Valefor and Preft).

"These remote tools continued to communicate with their command-and-control (C2) server until early September," Unit 42 said. "This ultimately led to the deployment of Play ransomware."

The Play ransomware deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account, after which they were observed carrying out credential harvesting, privilege escalation, and uninstallation of endpoint detection and response (EDR) sensors, all hallmarks of pre-ransomware activities.

Also utilized as part of the attack was a trojanized binary that's capable of harvesting web browser history, auto-fill information, and credit card details for Google Chrome, Microsoft Edge, and Brave.

The use of the compromised user account by both Andariel and Play Asia, the connection between the two intrusion sets stems from the fact that communication with the Sliver C2 server (172.96.137\[.\]224) remained ongoing until the day before ransomware deployment. The C2 IP address has been offline since the day the deployment took place.

"It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB \[initial access broker\] by selling network access to Play ransomware actors," Unit 42 concluded. "If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome is up to date

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

**Technical details**

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU\-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Patch now! New Chrome update for two critical vulnerabilities 

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.
The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.
To demonstrate the issue, the company said it managed to publish a

Browser Security / Vulnerability

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.

The attack, codenamed **CrossBarking**, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.

To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack.

"This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.

The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not the first time security flaws have been identified in the browser.

Earlier this January, details emerged of a vulnerability tracked as MyFlaw that takes advantage of a legitimate feature called My Flow to execute any file on the underlying operating system.

The latest attack technique hinges on the fact that several of Opera-owned publicly-accessible subdomains have privileged access to private APIs embedded in the browser. These domains are used to support Opera-specific features like Opera Wallet, Pinboard, and others, as well as those that are used in internal development.

The names of some of the domains, which also include certain third-party domains, are listed below -

*   crypto-corner.op-test.net
*   op-test.net
*   gxc.gg
*   opera.atlassian.net
*   pinboard.opera.com
*   instagram.com
*   yandex.com

While sandboxing ensures that the browser context remains isolated from the rest of the operating system, Guardio's research found that content scripts present within a browser extension could be used to inject malicious JavaScript into the overly permissive domains and gain access to the private APIs.

"The content script does have access to the DOM (Document Object Model)," Tal explained. "This includes the ability to dynamically change it, specifically by adding new elements."

Armed with this access, an attacker could take screenshots of all open tabs, extract session cookies to hijack accounts, and even modify a browser's DNS-over-HTTPS (DoH) settings to resolve domains through an attacker-controlled DNS server.

This could then set the stage for potent adversary-in-the-middle (AitM) attacks when victims attempt to visit bank or social media sites by redirecting them to their malicious counterparts instead.

The malicious extension, for its part, could be published as something innocuous to any of the add-on catalogs, including the Google Chrome Web Store, from where users could download and add it to their browsers, effectively triggering the attack. It, however, requires permission to run JavaScript on any web page, particularly the domains that have access to the private APIs.

With rogue browser extensions repeatedly infiltrating the official stores, not to mention some legitimate ones that lack transparency into their data collection practices, the findings underscore the need for caution prior to installing them.

"Browser extensions wield considerable power — for better or for worse," Tal said. "As such, policy enforcers must rigorously monitor them."

"The current review model falls short; we recommend bolstering it with additional manpower and continuous analysis methods that monitor an extension's activity even post-approval. Additionally, enforcing real identity verification for developer accounts is crucial, so simply using a free email and a prepaid credit card is insufficient for registration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad…

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad device compatibility. Enjoy seamless access to geo-restricted content securely.

Some geo-restricted content can only be unlocked and streamed using a Virtual Private Network (VPN). A VPN for streaming services allows you to watch content seamlessly while protecting your online identity.

With so many VPNs available, not all perform equally, making it challenging to find the best VPNs without interruptions. In this article, we’ll break down essential features to consider when selecting the top VPNs for streaming.

**Server Locations and Coverage**

An important feature in a streaming VPN is server locations and coverage, which determine the content you can access. Choose a VPN with a wide range of high-speed servers to prevent connectivity issues. A strong network spread across multiple countries will allow access to geo-restricted content. Look for VPN providers that frequently update servers, as this indicates a commitment to maintaining quality.

**Speed and Bandwidth**

To support HD streaming, ensure your VPN offers speeds of at least 100 Mbps, with no bandwidth limits or throttling. A VPN optimized for streaming should minimize buffering and reduce latency for smoother content loading.

****Encryption and Security****

When choosing a VPN for streaming, prioritize strong encryption and security. Look for AES-256 encryption or higher, and support for OpenVPN, IKEv2, and WireGuard protocols. The VPN should also include DNS leak protection to keep your IP address secure. If the VPN connection drops, an automatic internet disconnect feature ensures data remains private. These protections ensure that your data will not be exposed to third parties.

****Streaming Optimization****

Streaming optimization is key. The VPN should be optimized for high-speed, low-latency streaming, with custom protocols tailored to this purpose. Look for features that automatically select the best server for streaming, reducing buffering and enhancing speed.

****Device Compatibility****

Your VPN should support all the devices you plan to connect, including Windows, macOS, iOS, Android, and Linux. Look for compatibility with smart TVs (such as Samsung TV, Android TV, and Apple TV) and gaming consoles (PlayStation, Xbox, Nintendo Switch). It should also work with popular streaming platforms like Roku, Chromecast, and Amazon Fire TV. Browser extensions for Chrome, Firefox, and Safari add versatility, making it easier to stream across multiple devices.

****Simultaneous Connections****

Choose a VPN that supports at least five simultaneous connections. This feature lets you connect multiple devices without altering individual settings, which is convenient for families or business use. Check the VPN documentation for setup guides and confirm compatibility with less common devices like Linux and Chromebook. Additionally, look for split tunneling to configure specific device connections.

****Customer Support****

Reliable customer support is essential when using a VPN for streaming. Quick access to assistance for any issues or questions is critical. Look for providers that offer guides, FAQs, and tutorials for self-help, and a prompt email response time (ideally within 3 hours). Social media support is a plus. Effective customer support indicates a provider’s commitment to user satisfaction and technical support.

****Pricing and Payment Options****

Consider affordability and payment flexibility. Some VPNs offer discounts for long-term plans, free trials, money-back guarantees, and even cryptocurrency options. Make sure you’re getting value for your investment and review refund policies carefully. Look out for hidden fees or sudden price hikes, and ensure pricing transparency before subscribing.

****Logging Policy****

Opt for a VPN with a strict no-logs policy. It should avoid storing IP addresses, tracking online activities, or saving connection metadata. This policy helps ensure your privacy, reduces data breach risks, and underscores the VPN’s commitment to protecting client data.

****Compatibility with Popular Streaming Services****

Ensure the VPN is compatible with major streaming platforms you want to access, such as Netflix, Disney+, Hulu, Amazon Prime Video, HBO Max, and BBC iPlayer. Compatibility with these services ensures a smooth streaming experience and value for your subscription.

****Conclusion****

When selecting a VPN for streaming, consider these key features to make an informed choice. Look for speed, encryption, extensive server locations, streaming optimization, and privacy protections. Ensure the VPN provider doesn’t store user data and that its pricing, support, and device compatibility meet your expectations. Taking these steps will give you the best streaming experience while maintaining your online privacy.

1.  **Everything you need to know about VPN tracking**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **Surfshark VPN Data Breach Awareness with See-Through Toilet**
4.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
5.  **Google Launches Verification Badges for Security Tested VPN Apps**

Tag

#chrome