Introduction
Wow! Wow!! Wow!!!
Hello everyone, how are you doing? It's time for another review, but this one is kind of special; it's our first edition for the year 2025! Let's get to it.
We're not covering many articles. To be precise, we'll cover four. The topics that we'll cover are as follows:
- Privacy (a new topic you, maybe?)
- Supply chain attack
- Exploit
- Security (or should I say: lack of security?)
Let's begin.
Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting
It's kind of complicated. Here are the heads up: based on the author, Google went from we don't support this to make it clear when you do it. If that makes your head spin, don't worry, you'll be fine.
Here is what I am talking about:
Google’s policy adjustments now create a troubling contradiction. While IP addresses are explicitly mentioned, the way disclosure requirements are worded raises concerns. Is that the end? Google’s messaging implies that fingerprinting is now acceptable because it is common in the industry.
Several Chrome Extensions Compromised in Supply Chain Attack
The title says it all. For one of the victims, it turns out, the threat actors used a phishing attack to obtain permissions of the developer account, which subsequently allowed them to publish a malicious extension.
Here is more for you:
Purporting to come from the Chrome Web Store, the phishing message was sent to the registered support email, claiming that the extension’s description contained excessive keywords and that it would be removed from the store.
After clicking on the link in the message, the employee was taken through the standard Google authorization process and they inadvertently gave the malicious third-party application permissions to access the developer account.
New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites
Humans are very creative. We implement defense systems to stop attacks, it becomes industry standard, then we find every possible way to break the defense. If successful, we end up with an article like this one.
From the article:
The disclosure arrives nearly a year after the researcher also demonstrated another clickjacking variant called cross window forgery (aka gesture-jacking) that relies on persuading a victim to press or hold down the Enter key or Space bar on an attacker-controlled website to initiate a malicious action.
On websites like Coinbase and Yahoo!, it could be abused to achieve an account takeover "if a victim that is logged into either site goes to an attacker website and holds the Enter/Space key."
Over 3 million mail servers without encryption exposed to sniffing attacks
As of January 3, 2025, the firm reporting this has suspended the report based on identified false positives. Nonetheless, it's still worrying. How, in this modern internet is an email server not using encryption?
From the article:
ShadowServer is now notifying mail server operators that their POP3/IMAP servers do not have TLS enabled, exposing users' unencrypted usernames and passwords to sniffing attacks.
"This means that passwords used for mail access may be intercepted by a network sniffer. Additionally, service exposure may enable password guessing attacks against the server," Shadowserver said.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)