Tuesday, February 18, 2020
Google

How we fought bad apps and malicious developers in 2019

Posted by Andrew Ahn, Product Manager, Google Play + Android App Safety Google Play connects users with great digital experiences to help them be more productive and entertained, as well as providing app developers with tools to...
Google

Protecting users from insecure downloads in Google Chrome

Posted by Joe DeBlasio, Chrome security team Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started...
Google

Say hello to OpenSK: a fully open-source security key implementation

Posted by Elie Bursztein, Security & Anti-abuse Research Lead, and Jean-Michel Picod, Software Engineer, Google  Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is...
Google

Vulnerability Reward Program: 2019 Year in Review

Posted by Natasha Pabrai, Jan Keller, Jessica Lin, Anna Hupa, and Adam Bacchus, Vulnerability Reward Programs at GoogleOur Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their...
Google

Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program

Posted by Christiaan Brand, Product Manager, Google Cloud and Kaiyu Yan, Software Engineer, GooglePhishing—when an online attacker tries to trick you into giving them your username and password—is one of the most common causes of account compromises. We recently...
Google

Securing open-source: how Google supports the new Kubernetes bug bounty

Posted by Maya Kaczorowski, Product Manager, Container Security and Aaron Small, Product Manager, GKE On-Prem SecurityAt Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the...
Google

PHA Family Highlights: Bread (and Friends)

Posted by Alec Guertin and Vadim Kotov, Android Security & Privacy Team In this edition of our PHA Family Highlights series we introduce Bread, a large-scale billing fraud family. We first started tracking Bread (also known as Joker)...
Google

Announcing updates to our Patch Rewards program in 2020

Posted by Jan Keller, Technical Program Manager, Security At Google, we strive to make the internet safer and that includes recognizing and rewarding security improvements that are vital to the health of the entire web. In 2020, we are building...
Google

Protecting programmatic access to user data with Binary Authorization for Borg

Posted by Daniel Rebolledo Samper and Mark Lodato, Software Engineers, Security & PrivacyAt Google, the safety of user data is our paramount concern and we strive to protect it comprehensively. That includes protection from insider risk, which is the...
Google

Better password protections in Chrome – How it works

Posted by Patrick Nepper, Kiran C. Nair, Vasilii Sukhanov and Varun Khaneja, Chrome Team Today, we announced better password protections in Chrome, gradually rolling out with release M79. Here are the details of how they work. Warnings about...
Google

Detecting unsafe path access patterns with PathAuditor

Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output...
Google

An Update on Android TLS Adoption

Posted by Bram Bonné, Senior Software Engineer, Android Platform Security & Chad Brubaker, Staff Software Engineer, Android Platform Security Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep...
Google

Expanding the Android Security Rewards Program

Posted by Jessica Lin, Android Security TeamThe Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, we have...
Google

Using a built-in FIDO authenticator on latest-generation Chromebooks

Posted by Christiaan Brand, Product Manager, Google Cloud We previously announced that starting with Chrome 76, most latest-generation Chromebooks gained the option to enable a built-in FIDO authenticator backed by hardware-based Titan security. For supported services (e.g. G Suite, Google...
Google

GWP-ASan: Sampling heap memory error detection in-the-wild

Posted by Vlad Tsyrklevich, Dynamic Tools TeamMemory safety errors, like use-after-frees and out-of-bounds reads/writes, are a leading source of vulnerabilities in C/C++ applications. Despite investments in preventing and detecting these errors in Chrome, over 60% of high severity vulnerabilities...

Sensitive plastic surgery images exposed online

Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database.

Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.

12 hottest new cybersecurity startups at RSA 2020

Starting on February 24, the RSA Conference (RSAC) 2020 gives security vendors old and new a chance to demonstrate their capabilities. The event has become an attractive venue for startups to make their debut. This year’s crop will be...

Hundreds of Millions of PC Components Still Have Hackable Firmware

The lax security of supply chain firmware has been a known concern for years—with precious little progress being made.

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Remote Wipe Plugin Bug Hits 200,000+ WordPress SitesSecurity researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker. The problem lies with versions 1.3.4 and...