Google Chrome is used by hundreds of millions of people, it can’t be denied that this is very serious. According to the company, they found out about the hack on January 14th and quickly began taking action, forcing users to change their passwords for all accounts saved in Google Chrome. This is only temporary measure though because experts are now working on a fix.
Google doesn’t know who is behind the attack yet, they only say that it might have been a single person or a group of hackers working together. Officials have found no evidence of data being stolen from Google Chrome accounts, so messages stored in Gmail and messages sent via Hangouts are safe at this point. Your saved bookmarks and passwords in Chrome, as well as your browsing history and any extensions you have installed are also safe. Remember that if you use Google Chrome for this two tasks then those files can not be encrypted by default or they would not be readable when the user enters his login credentials.
Google executives say that users who might have been affected by the hack will be notified, but for now they are not revealing any information that could allow users to identify the possible victims.
Unfortunately, this isn’t the first time when hackers have managed to steal login credentials thanks to a popular browser extension developed by third-parties. A recent example is the “Add to Feedly” extension which was hacked around two weeks ago.
Microsoft’s Internet Explorer is also celebrating its 15th birthday today, but it has problems of its own. A new zero-day flaw in IE that could allow hackers to hijack your PC was revealed some days ago.
It is believed that the vulnerability has been found while Google security experts were looking for a zero-day exploit in Windows 8.1, with the help of Chrome browser, but they have found out that IE11 is also plagued by an exploitable bug. Google security team member Clement Lecigne has published a proof-of-concept for this zero day vulnerability which could allow attackers to gain complete control over your computer if you visit a website that has been set up by hackers to exploit this flaw.
Microsoft hasn’t commented on the vulnerability yet, neither has security firm FireEye which discovered and reported it to Microsoft about ten days ago. At this time, there is no patch for the zero day vulnerability so we strongly suggest you to not use IE11 until after Microsoft releases a security update for this flaw.
In other news, Google has announced that it will shut down its social network Google+ after a bug was discovered which allowed developers to access data from over 50 million users despite the fact they were only meant to gain access to information from their own profiles.
The company says there is no evidence that any outside developer abused this bug, but they are shutting down Google+ regardless in order to prevent further problems in the future. All Google+ APIs have been shut down since the discovery of this bug so third-party apps can not access any data from it anymore.
Google says that 90% of user sessions on Google+ only last for less than five seconds, so the number of users affected by this new bug is actually very low compared to the total amount.
The company found out about this bug in March but only decided to shut down Google+ because some developers may have used information they gained via it for profit. There seems to be nothing wrong with how Facebook collects user data, but things are different for Google+.
This new bug comes just a few weeks after it was discovered that Android apps and games had abused the OAuth function which is used to access third-party data on Facebook. The OAuth allows app developers to gain access to some of your data so you don’t have to login every time you use the application, but in this case some developers were using it to access more information than they otherwise would be able to.
Jack Cable, a former security consultant for Facebook, revealed that Android apps and games had abused the OAuth function by sending requests with false data which tricked Facebook into allowing them full access to users accounts. All of this happened without user permission or knowledge, not to mention that in most cases the user wasn’t even aware of what OAuth really is.