How we fought bad apps and malicious developers in 2019
Posted by Andrew Ahn, Product Manager, Google Play + Android App Safety Google Play connects users with great digital experiences to help them be more productive and entertained, as well as providing app developers with tools to...
Protecting users from insecure downloads in Google Chrome
Posted by Joe DeBlasio, Chrome security team Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started...
Say hello to OpenSK: a fully open-source security key implementation
Posted by Elie Bursztein, Security & Anti-abuse Research Lead, and Jean-Michel Picod, Software Engineer, Google Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is...
Vulnerability Reward Program: 2019 Year in Review
Posted by Natasha Pabrai, Jan Keller, Jessica Lin, Anna Hupa, and Adam Bacchus, Vulnerability Reward Programs at GoogleOur Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their...
Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program
Posted by Christiaan Brand, Product Manager, Google Cloud and Kaiyu Yan, Software Engineer, GooglePhishing—when an online attacker tries to trick you into giving them your username and password—is one of the most common causes of account compromises. We recently...
Securing open-source: how Google supports the new Kubernetes bug bounty
Posted by Maya Kaczorowski, Product Manager, Container Security and Aaron Small, Product Manager, GKE On-Prem SecurityAt Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the...
PHA Family Highlights: Bread (and Friends)
Posted by Alec Guertin and Vadim Kotov, Android Security & Privacy Team In this edition of our PHA Family Highlights series we introduce Bread, a large-scale billing fraud family. We first started tracking Bread (also known as Joker)...
Announcing updates to our Patch Rewards program in 2020
Posted by Jan Keller, Technical Program Manager, Security At Google, we strive to make the internet safer and that includes recognizing and rewarding security improvements that are vital to the health of the entire web. In 2020, we are building...
Protecting programmatic access to user data with Binary Authorization for Borg
Posted by Daniel Rebolledo Samper and Mark Lodato, Software Engineers, Security & PrivacyAt Google, the safety of user data is our paramount concern and we strive to protect it comprehensively. That includes protection from insider risk, which is the...
Better password protections in Chrome – How it works
Posted by Patrick Nepper, Kiran C. Nair, Vasilii Sukhanov and Varun Khaneja, Chrome Team Today, we announced better password protections in Chrome, gradually rolling out with release M79. Here are the details of how they work. Warnings about...
Detecting unsafe path access patterns with PathAuditor
Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output...
An Update on Android TLS Adoption
Posted by Bram Bonné, Senior Software Engineer, Android Platform Security & Chad Brubaker, Staff Software Engineer, Android Platform Security Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep...
Expanding the Android Security Rewards Program
Posted by Jessica Lin, Android Security TeamThe Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, we have...
Using a built-in FIDO authenticator on latest-generation Chromebooks
Posted by Christiaan Brand, Product Manager, Google Cloud We previously announced that starting with Chrome 76, most latest-generation Chromebooks gained the option to enable a built-in FIDO authenticator backed by hardware-based Titan security. For supported services (e.g. G Suite, Google...
GWP-ASan: Sampling heap memory error detection in-the-wild
Posted by Vlad Tsyrklevich, Dynamic Tools TeamMemory safety errors, like use-after-frees and out-of-bounds reads/writes, are a leading source of vulnerabilities in C/C++ applications. Despite investments in preventing and detecting these errors in Chrome, over 60% of high severity vulnerabilities...
Sensitive plastic surgery images exposed online
Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database.
Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs
A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.
12 hottest new cybersecurity startups at RSA 2020
Starting on February 24, the RSA Conference (RSAC) 2020 gives security vendors old and new a chance to demonstrate their capabilities. The event has become an attractive venue for startups to make their debut. This year’s crop will be...
Hundreds of Millions of PC Components Still Have Hackable Firmware
The lax security of supply chain firmware has been a known concern for years—with precious little progress being made.
Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites
Remote Wipe Plugin Bug Hits 200,000+ WordPress SitesSecurity researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.
The problem lies with versions 1.3.4 and...
