According to multiple reports, Web of Trust, one of the top privacy and security extensions for web browsers with over 140 million downloads, collects and sells some of the data of its users — and it does without properly anonymizing it. Upon learning about this, Mozilla, Google and Opera quickly pulled the extension off their respective extension stores. From a report on The Register: A browser extension which was found to be harvesting users’ browsing histories and selling them to third parties has had its availability pulled from a number of web browsers’ add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens’ web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked. Read more of this story at Slashdot.
Tag: browser
Mozilla Announces Quantum, a New Browser Engine For Firefox
An anonymous reader writes: Mozilla is currently working on a new browser engine called Quantum, which will take parts from the Servo project and create a new core for the Firefox browser. The new engine will replace the aging Gecko, Firefox’ current engine. Mozilla hopes to finish the transition to Quantum (as in Quantum Leap) by the end of 2017. The first versions of Quantum will heavily rely on components from Servo, a browser engine that Mozilla has been sponsoring for the past years, and which shipped its first alpha version this June. In the upcoming year, Mozilla will slowly merge Gecko and Servo components with each new release, slowly removing Gecko’s ancient code, and leaving Quantum’s engine in place. Read more of this story at Slashdot.
Continued here:
Mozilla Announces Quantum, a New Browser Engine For Firefox
Opera’s Free VPN, Built Right Into the Browser, Rolls Out For Everyone
Windows/Mac/Linux: A few months ago, Opera launched its own free, built-in VPN, but you could only get it if you manually enabled it in the dev version of the browser . Now, it’s available for everyone in the stable version of Opera. Read more…
Excerpt from:
Opera’s Free VPN, Built Right Into the Browser, Rolls Out For Everyone
Run Android 6.0 Marshmallow on Your PC With Android-x86 6.0
This week saw the first stable release of Android-x86 6.0 (marshmallow-x86) — and a new version of Remix OS for PC, a PC-optimized version of Android. Slashdot reader prisoninmate quotes Softpedia: Android-x86 6.0 has been in the works since early this year, and it received a total of two RC (Release Candidate) builds during its entire development cycle, one in June and another in August. After joining the Remix OS team, Chih-Wei Huang now has all the reasons to update and improve its Android-x86 system for the latest Android releases. Therefore, as you might have guessed already, Android-x86 6.0 is the first stable version of the project to be based on Google’s Linux kernel-based Android 6.0 Marshmallow mobile operating system, and includes the most recent AOSP (Android Open Source Project) security updates too. Under the hood, Android-x86 6.0 is using the long-term supported Linux 4.4.20 kernel with an updated graphics stack based on Mesa 12.0.2 3D Graphics Library, and offers support for Samsung’s F2FS file system for SSD drives, better Wi-Fi support after resume and suspend, and initial HDMI audio support. Read more of this story at Slashdot.
See more here:
Run Android 6.0 Marshmallow on Your PC With Android-x86 6.0
Google Login Bug Allows Credential Theft
Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug, ] said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. “Attacker would not need to intercept traffic to exploit — they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter, ” Woods said. Google told Woods they don’t consider this a security issue. Read more of this story at Slashdot.
Continued here:
Google Login Bug Allows Credential Theft
Opera warns that its web sync service was hacked
Data breaches happen all too often , but it’s rare that they target your browser’s sync service… and unfortunately, Opera just became one of those exceptions. The company is warning users that it detected a hack in its sync system that may have given intruders access to login details. While your passwords are likely safe (all synced passwords are encrypted, for example), Opera isn’t risking anything. It’s resetting all sync account passwords, and it recommends that you change any linked third-party passwords to be on the safe side. Opera is quick to note that the majority of its 350 million users won’t be affected, since most don’t use sync. However, this still leaves about 1.7 million active users at risk, and there are likely more inactive users who are storing useful passwords. True, it’s doubtful that the breach will lead to serious damage, but this certainly isn’t the kind of news Opera would want following its sale to a Chinese security giant . [Thanks, Kristy] Source: Opera Security
View the original here:
Opera warns that its web sync service was hacked
Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year
An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more. Read more of this story at Slashdot.
More:
Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year
Hacker Steals 1.6 Million Accounts From Top Mobile Game’s Forum
Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game “Clash of Kings, ” making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user’s location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1, 597, 717 stolen records to its systems. Read more of this story at Slashdot.
Continue Reading:
Hacker Steals 1.6 Million Accounts From Top Mobile Game’s Forum
Malicious computers caught snooping on Tor-anonymized Dark Web sites
Enlarge / A map of hidden services directories detected as malicious. The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators’ identities. All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the “.onion” addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed “honions.” The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that’s well outside of Tor rules. “Such snooping allows [the malicious directories] to index the hidden services, also visit them, and attack them,” Guevara Noubir, a professor in Northeastern University’s College of Computer and Information Science, wrote in an e-mail. “Some of them tried to attack the hidden services (websites using hidden services) through a variety of means including SQL Injection , Cross-Site Scripting (XSS) , user enumeration, server load/performance, etc.” Read 7 remaining paragraphs | Comments
Visit link:
Malicious computers caught snooping on Tor-anonymized Dark Web sites
Microsoft trashes Chrome’s battery life
Your choice of web browser can have a tremendous effect on your laptop’s battery life, and Microsoft is determined to prove that its Edge browser the most efficient of them all… at Google’s expense, of course. The crew in Redmond has posted battery tests showing that Edge lasted longer in web video playback and standardized surfing tests than any other browser (including Opera in low-power mode ), and over 3 hours longer than Chrome in the video test. And this is with the current version of Windows 10, Microsoft notes. Edge in Windows’ Anniversary Update should be downright miserly thanks to lower resource usage and tighter restrictions on Flash. Of course, it’s a wise idea to take this (and any other company-run benchmark) with a grain of salt. Most people don’t spend all day watching Netflix on the web, and Microsoft doesn’t mention exactly how long the browsers lasted in the generic browsing test. Also, it conducted the tests on Surface Books . Your mileage is likely to vary with third-party hardware. The company does point to lower overall power consumption based on data from “millions” of Windows 10 PCs, but that will only tell you so much about your own experience. Still, it’s no secret that Chrome is relatively power-hungry. Google’s attempts to improve Chrome’s battery efficiency have only gone so far, and it’s practically common wisdom that you use another browser if you need an extra hour or two of runtime. It’s just important to remember that Microsoft has a strong incentive to trash talk Chrome, and that battery life isn’t always the most important factor. Via: The Verge Source: Windows Experience Blog
View post:
Microsoft trashes Chrome’s battery life