Google Chrome, one of the most used browsers with an estimated 3.2 billion users, has recorded around 26 security breaches. Google stated that the one of these issues is rated as “critical”. Usually, chrome’s vulnerabilities are not often rated as “critical”, this is already the second one this year. This critical vulnerability is a use after free bug in Safe Browsing feature. Google has found several ‘Inappropriate implementation’ flaws within Chrome that can be exploited in storage, fenced items and push messaging.
What is vulnerability?
A vulnerability in the context of computer security is a weakness, flaw, or error found within a security system which could compromise a secure network. The computer security flaws that are publicly disclosed are listed in the Common Vulnerabilities and Exposures (CVE) database. This helps to share data across separate vulnerability capabilities. The vulnerability that has been rated critical is assigned CVE-2022-0289. This is reported by Sergei Glazunov of Google Project Zero. This vulnerability does not require any user interaction after the user has visited malicious website. Any RCE (Remote Code Execution) vulnerability has the power to take over the affected browser and can gain complete access of the system.
What is Use after free (UAF)?
Use after free is a vulnerability that results due to dynamic memory in a program execution. If, a memory location is freed and the pointer pointing to that memory location isn’t cleared, then the attacker can you use that error to manipulate the program and gain the access to the system. The total number of Use after free attacks on chrome adds to 60 since September.
What is Safe Browsing?
Safe Browsing is a feature that give users a warning when they try to browse through dangerous sites or download dangerous file. Google has also provided a public API for Safe Browsing service. If you’re a Chrome user, you should always try to have your Safe Browsing feature enabled. You can find it by clicking Setting > Security and Privacy > Security.
How to protect yourself?
To protect yourself from this issue, Google has responded with an update of version to Chrome 97. Usually, Chrome updates automatically. But if you chrome isn’t updated automatically, you can update it manually by clicking Settings > About Chrome or open the page chrome://settings/help. If your Chrome browser is listed as 97.0.4692.71 or above, you are safe. If an update is available, Chrome will notify you and start downloading it. Once the update is downloaded you will have to relaunch the browser.
The year 2021 was a record-breaking year for the number of Chrome hacks and Chrome hacks in 2022 have started rising. It is important to keep your browser up to date.
Stay safe everyone!
References:
- https://www.forbes.com/sites/gordonkelly/2022/01/21/google-chrome-warning-security-new-hacks-update-chrome-browser/?sh=7052be351cee
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-chrome-patches-critical-rce-vulnerability-in-safe-browsing/
- https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/
- https://www.techtarget.com/searchwindowsserver/definition/remote-code-execution-RCE
- https://helpdeskgeek.com/help-desk/google-chrome-crashing-freezing-or-not-responding-7-ways-to-fix-it/
- https://www.statista.com/statistics/543218/worldwide-internet-users-by-browser/#:~:text=In%202021%2C%20there%20were%20an,users%20for%20Chrome%20and%20Safari.
This is an excellent article! It’s astonishing to think that the most widely used browser, on which we all conduct our searches, could be vulnerable and a target of these hacks. You described “safe-browsing,” an excellent security feature that warns users when they try to browse unsafe websites or download something that may be harmful to their computers. Users should also erase their browser data and disable sync on a regular basis.
Incredible post, I like how you also include ways to avoid falling victim to these security breaches. As a chrome user my self it is unfortunate to see just how vulnerable the browser is. Chrome having been breached 26 times makes me question if my passwords are safe from being stolen. Turning on security mode for your browser is a really good idea, and chrome also has some add-ons which can provide more security and abort connections to suspicious websites.
Great article, Rohan! I was interested to learn more about Google’s “safe browsing” service after reading your article. What especially caught my eye was the Enhanced Protection, and what exactly Google needs the browsing data sent to them for. I checkout out the page you referred to, and it said, “Sends URLS and a small sample of pages, downloads, extension activity, and system information to help discover new threats.” I wonder if the data Google collects to protect us may also be vulnerable in some way. That would be ironic!
Updated my chrome right after reading this!
Who would’ve thought such a large company would have multiple critical vulnerabilities in a single month. Surely the big names like google would test new versions extensively (including pen testing) of their updates before deploying to hundreds of millions of devices?
This post just goes to show that all sized tech companies can make mistakes, and it’s up to individuals to ensure their own cyber security.
Excellent read by the way, very well written and the images were very helpful!
Really interesting post! As someone who regularly uses Chrome, I’ve become slightly worried now with the number of passwords and data I have on there. I’ve always assumed there’s an incredibly low chance a widely used browser like Chrome would have vulnerabilities, but this post has definitely made me change my views a bit. Also, I really liked the “Safe Browsing” tip you shared!
Good ol’ Google Chrome. Seems like I hear about an issue like this every couple of months. After reading this I went and checked my chrome settings and discovered that there is both a standard and enhanced version of safe browsing, the enhanced version saying that it needs to send browsing data to Google. As much as I want to protect myself as best I can, I think I’ll probably stick with just the standard version of safe browsing. I trust myself to stay away from shady websites a little more than I trust Google to not use my data for something I didn’t ask them to. Besides, surely it won’t be that long before another one of these exploits crops up considering Google’s track record. Maybe it’s time to switch browsers altogether?
This was an interesting read! Prior to reading this post, I did not know that there is an option of having a Safe Browsing feature enabled!! I got to know before that chrome has been under attack from all sides this year and now multiple new hacks have been discovered in Google’s popular browser. Having all our passwords and personal information in some of the websites starts to be unsafe. Consequently, I believe that users should start to clear their browser history often to be more safe! Overall amazing work!
Undoubtedly an informative article. I have been using Google Chrome for about 10 years but never knew about these features. However, I experienced that Google Chrome has serious flaws especially in regards to browsing and downloading. Considering an individual a general user, the user may not have this knowledge to ensure security manually on Google Chrome, the Google Chrome should provide the enhanced security systems enabled automatically to give all the users a safe and easy experience. Otherwise, people will just switch to Safari.
This was an interesting topic as I am also a Chrome user. It is shocking to see that around 26 times chrome’s security has been breached. It makes me wonder whether the passwords that I have stored inside the Google password manager are still safe. As a precaution, we can always remove our browser data. Anyways, the tips that you mentioned in your post like “safe-browsing” is an excellent way to warn users when they try to browse unsafe websites or download something that may be harmful to their computers.
I am so surprised after reading this article as I never knew before that my own browser has a feature for safe browsing. I was in a misconception that I am already protected. I have also heard about open source code applications and recently got to know that Google itself is free because it literally sells data to others and earns from those third parties.
Wow the facts are quite astonishing. I have been using chrome for quite a long time. I recently came to know about so many security breaches in google chrome. I actually did not care about breaches and data leaks. But now when I am earning money and have online bank accounts, I started researching more and more about safe browsing. After sometime, I found out that safari is doing a better job ( the articles I saw might be biased or paid). But I did not want to take a chance. Therefore, made safari my default browser on my macbook.
Thanks for the news! I just noticed that my Chrome does not update automatically. I am a Chrome user since the first day I used internet lol. However, because of privacy concern and potential leaks, I’m switching to DuckDuckGo.
This is a great article. Who would have thought a giant tech corporate like Google would leave this many security leaks in their current version. Before, I would feel safe using websites and applications from the top providers, since those were developed by the most talented minds in the industry. However, it seems that no company is immune to internet attacks. I guess when considering digital privacy, it depends more on the user’s awareness rather than the security of providing company. Thank you for your recommendation about Safe Browsing and updating the new patch.
Thanks for sharing! I do not actually use Chorme but a lot of my friends are big fans of this website browser. It is great to know that Chorme provides the update to defend this certain flaw. And also we should be careful to avoid problems related to Use After Free.
Great share! Before reading this article, Google Chrome has been published over 10 years, I didn’t know there was an option to enable Safe Browsing. Through this article, we should update the chrome version to receive any security protection. Thanks for coming up with this article that brought our attention to the security problem that is around us.
Great post!
There are more and more functions and tools added to the Google Chrome browser. As CPSC students, we all know that if there were too many programs in an application, then there would be many bugs and security breaches, because we are not able to care about everything while programming. I agree with your points in your blog. The maintainers always need to fix the new bugs and new security breaches with the development of an application, so for protecting the information security, the users need to update the application once the new updates are posted. Updating the applications timely is always a good way to protect the users’ privacy and information security.
Users: “You were supposed to provide better internet security to the masses not introduce more security flaws!”
Chrome: “I HATE YOU!”
Users: “You were my default browser Chrome! I loved you.”
Prequel memes aside, this is actually pretty funny. Chrome has rapidly been losing its appeal to me lately. From ever higher RAM usage to odd edgecases and weird system interactions slowing its operation to a halt and only fixing itself on a full system restart, and now adding various security issues on top, its getting hard to be on Chromes side. The only thing keeping me from switching is years of muscle memory towards booting up Chrome when I need to browse something, and a little bit of integration with other Google services I use frequently like Docs and Drive.
Maybe its time to bite the bullet and move to something a little more friendly, but knowing myself personally its probably not going to happen. Thanks for the post!