Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome's sync feature to bypass firewalls. Let’s discuss them one by one.
First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.
Chrome Sync Risk
Characteristically terse
Chrome Sync Dashboard
When using storage.sync, the stored data will automatically be synced to any Chrome browser that the user is logged into, provided the user has sync enabled. When Chrome is offline, Chrome stores the data locally. The next time the browser is online, Chrome syncs the data. Even if a user disables syncing, storage.sync will still work. Samsung Sync is reborn as Samsung Internet with more ease of use, better performance and higher stability. Samsung Internet Chrome Extension lets you easily share your bookmarks across Chrome Desktop and Samsung Internet for Android using your Samsung Account.
- Get more done with the new Google Chrome. A more simple, secure, and faster web browser than ever, with Google’s smarts built-in.
- Sign in to Chrome with sync turned on; Save passwords to your Google Account. If Offer to save passwords is on, you’ll be prompted to save your password when you sign in to sites and apps on Android or Chrome. To save your password for the site or app, select Save. If you have more than one Google Account signed in to your Android device, you.
- Works with Anilist/Kitsu/Simkl too. Just change the sync mode in the settings. Makes it possible to use your MyAnimeList anime/mangalist as a centralized bookmarks system for all supported pages. It has support for 30+ anime and manga pages like crunchyroll, netflix, mangadex and 9anime.
Google's official reason for the removal is characteristically terse. Messages displayed on devices that had the extension installed say only, “This extension contains malware” along with an indication that it has been removed. A Google spokesman declined to elaborate.
The longer back story is that, as reported in a GitHub thread in November, the original extension developer sold it last June, and it began showing signs of malice under the new ownership. Specifically, the thread said, a new version contained malicious code that tracked users and manipulated Web requests.
The automatic removal has left some users in the lurch because they can no longer easily access suspended tabs. Users in this Reddit thread have devised several ways to recover their tabs.
AdvertisementHigh-severity zero-day
Next, Google on Thursday released a Chrome update that fixes what the company said was a zero-day vulnerability in the browser. Tracked as CVE-2021-21148, the vulnerability stems from a buffer overflow flaw in V8, Google’s open source JavaScript engine. Google rated the severity as “high.”
Once again, Google provided minimal information about the vulnerability, saying only that the company “is aware of reports that an exploit for CVE-2021-21148 exists in the wild.”
In a post published Friday by security firm Tenable, however, researchers noted that the flaw was reported to Google on January 24, one day before Google’s threat analysis group dropped a bombshell report that hackers sponsored by a nation-state were using a malicious website to infect security researchers with malware. Microsoft issued its own report speculating that the attack was exploiting a Chrome zero-day.
Google has declined to comment on that speculation or provide further details about exploits of CVE-2021-21148.
Sync abuse
Lastly, a security researcher reported on Thursday that hackers were using malware that abused the Chrome sync feature to bypass firewalls so the malware could connect to command and control servers. Sync allows users to share bookmarks, browser tabs, extensions, and passwords across different devices running Chrome.
The attackers used a malicious extension that wasn’t available in the Chrome Web Store. The above link provides a wealth of technical details.
A Google spokesman said that developers won’t be modifying the sync feature because physically local attacks (meaning those that involve an attacker having access to the computer) are explicitly outside of Chrome's threat model. He included this link, which further explains the reasoning.
None of these concerns means you should ditch Chrome, or even the sync feature. Still, it’s a good idea to check the version of Chrome installed to ensure it’s the latest, 88.0.4324.150.
The usual advice about browser extensions also applies, which is essentially to install them only when they’re truly useful and after vetting the security in user comments. That advice wouldn’t have saved Great Suspender users, however, which is precisely the problem with extensions.
Besides the intended differences, web browsers based on Chromium offer an underlying experience that’s mostly identical to Chrome. Google recently discovered that users of third-party Chromium browsers have inadvertently been able to access data and other sync features reserved for Chrome.
“Some” Chromium browsers today can leverage features and APIs that are “only intended for Google’s use.” This includes Click to Call and, notably, Chrome Sync. The latter is responsible for syncing bookmarks, extensions, history, settings, and more across signed-in devices running the first-party browser.
This meant that a small fraction of users could sign into their Google Account and store their personal Chrome sync data, such as bookmarks, not just with Google Chrome, but also with some third-party Chromium based browsers.
As a result, users logged into Google sites on Chromium browsers are able to see their old bookmarks and other data from previous Chrome usage.
This inadvertent access was discovered during a recent audit and Google will be “limiting access to [its] private Chrome APIs” from March 15th.
Guidance for vendors of third-party Chromium based products is available on the Chromium wiki.
Chrome Sync Passwords
Users that have been benefiting from this accidental integration — to keep bookmarks in sync — will not lose any information. Any Chrome data stored locally will remain available, while it’s also still in your Google Account. Meanwhile, Chrome bookmarks remain transferable and can be easily exported to a new browser through existing methods.
As always, users can view and manage their data on the My Google Activity page. They can also download their data from the Google Takeout page, and/or delete it here.
Chrome Sync Is Paused
More about Google Chrome:
Chrome Sync Edge
FTC: We use income earning auto affiliate links.More.