Tag Archives: comes

Mac Software Mines Cryptocurrency in Exchange for Free Access to Premium Account

Nothing comes for free, especially online.

Would you be okay with allowing a few paid services to mine cryptocurrencies using your system instead of paying the subscription fee?

Most free websites and services often rely on advertising revenue to survive, but now there is a new way to make money—using customers’ computer to generate virtual currencies.

It was found that a scheduling app,

Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser


A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.

Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version and earlier.

The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other.

In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin.

The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in different tabs.

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” researchers from security firm Rapid7 explained.

“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”

Attackers can even snag a copy of your session cookie or hijack your session and read and write webmail on your behalf.

Mishra reported the vulnerability to Samsung, and the company replied that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.

Meanwhile, Mishra, with the help of Tod Beardsley and Jeffrey Martin from Rapid7 team, also released an exploit for Metasploit Framework.

Rapid7 researchers have also published a video demonstrating the attack.

Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.

Enable Google’s New “Advanced Protection” If You Don’t Want to Get Hacked


It is good to be paranoid when it comes to cybersecurity.

Google already provides various advanced features such as login alerts and two-factor authentication to keep your Google account secure.

However, if you are extra paranoid, Google has just introduced its strongest ever security feature, called “Advanced Protection,” which makes it easier for users, who are usually at high risk of targeted online attacks, to lock down their Google accounts like never before.

“We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” the company said in a blog post announcing the program on Tuesday. 

“For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”

Even if a hacker somehow gets your password—using advanced phishing attacks, zero-day exploits or spyware—and tries to access your Google account, they will not be able to get in.

To enable Google’s Advanced Protection feature, you will need two physical security keys that work with FIDO Universal 2nd Factor (U2F)—which offers a hardware-based two-factor authentication that does not require secret codes via SMS or emails.


To log into your Google account from a computer or laptop will require a special USB stick while accessing from a smartphone or tablet will similarly require a Bluetooth-enabled dongle, paired with your phone.

“They [security devices] use public-key cryptography and digital signatures to prove to Google that it’s really you,” the post reads. “An attacker who does not have your Security Key is automatically blocked, even if they have your password.”

Google’s Advanced Protection offer three features to keep your account safe:

  1. Physical Security Key: Signing into your account requires a U2F security key, preventing other people (even with access to your password) from logging into your account.
  2. Limit data access and sharing: Enabling this feature allows only Google apps to get access to your account for now, though other trusted apps will be added over time.
  3. Blocking fraudulent account access: If you lose your U2F security key, the account recovery process will involve additional steps, “including additional reviews and requests for more details about why you’ve lost access to your account” to prevent fraudulent account access.

Advanced Protection feature is not designed for everyone, but only for people, like journalists, government officials and activists, who are at a higher risk of being targeted by government or sophisticated hackers and ready to sacrifice some convenience for substantially increased e-mail protection.

Currently, if you want to enrol in the Advanced Protection Program, you will need Google Chrome, since only Chrome supports the U2F standard for Security Keys. However, the technology expects other browsers to incorporate this feature soon.

Google Adds ESET Malware Detection to Chrome


Google has also made a notable change by partnering with anti-virus software firm ESET to expand the scope of malware detection and protection in its browser through the Chrome Cleanup feature.

Chrome Cleanup now has a malware detection engine from ESET, which works in tandem with Chrome’s sandbox technology.

“We can now detect and remove more unwanted software than ever before, meaning more people can benefit from Chrome Cleanup,” Google said in a blog post published Monday. 

“Note this new sandboxed engine is not a general-purpose antivirus—it only removes software that doesn’t comply with our unwanted software policy.”

You can sign-up for Google’s Advanced Protection here.