A vulnerability recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say.
The issue is that the browser – along with WebView and Chrome Tabs for Android – discloses information about the hardware model, firmware version, and security patch level of the device it is installed on. Applications using Chrome to render web content are also impacted.
Read more about the Chrome for Android vulnerability on SecurityWeek.
This new tech support scam variant was reported in a Google Chrome bug report that states that once a user visits the page, the CPU utilization quickly goes to 100%. This makes it impossible to close the tab, the browser, or properly use the computer until the Chrome process is killed.
An update to Google Chrome’s sign-in mechanism could clear a path to compromising the privacy of users’ browser data, according to a researcher who stumbled across the change. Matthew Green, a cryptographer, noticed his Gmail profile pic strangely and suddenly appearing in his browser window—generally a sign that a user is logged in.
However, he hadn’t actually affirmatively signed in, which threw up a red flag. This led him to parse through Google’s last Chrome update (Chrome 69), where he discovered that “every time you log into a Google property, Chrome will automatically sign the browser into your Google account for you.”
Read more about the privacy issues caused by Google’s forced sign-in to Chrome mechanism on Threatpost.