The problem arises from allowing sites to style links as ':visited,' meaning showing them as another color instead of the default blue if a user had previously clicked on them. 

The system displays this color change regardless of which site they were on when they clicked the link, allowing other sites to potentially use creative scripts that leak the user's browsing history.

The issue isn't just a theoretical privacy concern for users but also introduces a series of real security liabilities that enable tracking, profiling, and phishing.

Researchers demonstrated multiple classes of attacks in the past linked to this privacy gap, including timing, pixel, user interaction, and process-level attacks.

The upcoming release of Google Chrome, version number 136, will finally address the 20-year problem by implementing a triple-key partitioning of "visited" links.

Instead of storing link visits globally, Chrome now partitions each visited link using three keys, namely link URL (link target), top-level site (address bar domain), and frame origin (origin of the frame where the link is rendered).

This ensures that a link will only appear as :visited on the same site and in the same frame origin where the user previously clicked it, eliminating cross-site history leaks.

To preserve usability, Google added a "self-links" exception, so visited links of a site will still be marked as visited on that site even if the user clicked them from a different site.

A website already knows which pages the user has visited, so this exception does not introduce an unwanted history leak.

Google says completely deprecating the :visited selector would eliminate valuable UX cues, so that was ruled out from the proposal's goals. Another rejected solution was to use a permissions-based model, as that would be easy to bypass or even abuse by manipulative websites.

How to enable

The new :visited isolation was introduced as an experimental feature on Chrome version 132 and is expected to be turned on by default on Chrome 136 (upcoming).

From Chrome 132 to 135 (latest), users can enable the feature by entering chrome://flags/#partition-visited-link-database-with-self-links in the address bar and setting the option to 'enabled.'

The feature isn't stable yet, so it might not work as expected in all situations.

On other major browsers the :visited styles risk remains partially unaddressed.

Firefox limits what styles are applied to :visited and blocks JavaScript from reading them, but there's no partitioning to isolate them from sophisticated attack vectors.

Safari also applies restrictions and uses aggressive privacy protections like Intelligent Tracking Prevention, somewhat mitigating the leaks, but there's no partitioning to block all attacks.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group [TraderTraitor] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 [TraderTraitor] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this [hacking] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

The CA/Browser Forum is a group of certificate authorities (CAs) and software vendors, including browser developers, working together to establish and maintain security standards for digital certificates used in Internet communications.

Its members include major CAs like DigiCert and GlobalSign, as well as browser vendors such as Google, Apple, Mozilla, and Microsoft.

Earlier this year, Apple proposed a motion to reduce certificate lifespans, which Sectigo, the Google Chrome team, and Mozilla endorsed.

This proposal would gradually reduce the lifespan of certificates over the next four years from its current 398-day lifespan to 47 days in March 2029.

The goal is to minimize risks from outdated certificate data, deprecated cryptographic algorithms, and prolonged exposure to compromised credentials. It also encourages companies and developers to utilize automation to renew and rotate TLS certificates, making it less likely that sites will be running on expired certificates.

SSL/TLS certificates are digital files that enable secure communication over the internet (HTTPS) by encrypting data and authenticating websites.

They encrypt the connection so sensitive data like passwords and credit card data entered on website forms cannot be intercepted by attackers in the middle.

These certificates are also used to authenticate the website and guarantee data integrity, meaning the information exchanged between the user and the server hasn't been tampered with.

When those certificates expire without renewal, users see a warning on their browser informing them that their connection isn't private or secure.

Currently, the lifespan and the Domain Control Validation (DCV) of those certificates is 398 days, but the majority of certificate authorities agreed that this is too long in today's security landscape.

With 25 votes for and none against, the CA/Browser Forum has now ruled to shorten the lifespan as follows:

• From March 15, 2026, certificate lifespan and DCV will be reduced to 200 days
• From March 15, 2027, certificate lifespan and DCV will be reduced to 100 days
• From March 15, 2029, the certificate lifespan will be reduced to 47 days and DCV to 10 days

Shortening the certificate lifecycle is bound to introduce management overhead and add a large burden for people who handle multiple domains. However, it is expected to force more frequent revalidation of companies requesting certificates, encourage automation, and ultimately make the ecosystem more agile and secure.

This gradual shortening of certificate lifespans gives impacted entities enough time to implement and transition to automated certificate renewal systems, such as those offered by cloud providers, Let's Encrypt, or certificate providers that support the ACME protocol.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.

Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.

"Containing an IP address associated with undiscovered devices or devices not onboarded to Defender for Endpoint is done automatically through automatic attack disruption. The Contain IP policy automatically blocks a malicious IP address when Defender for Endpoint detects the IP address to be associated with an undiscovered device or a device not onboarded," Microsoft explains.

"Through automatic attack disruption, Defender for Endpoint incriminates a malicious device, identifies the role of the device to apply a matching policy to automatically contain a critical asset. The granular containment is done by blocking only specific ports and communication directions."

This new feature will be available on Defender for Endpoint-onboarded devices running Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+.

Admins can also stop an IP address's containment by restoring its connection to the network at any time by selecting the "Contain IP" action in the "Action Center" and selecting "Undo" in the flyout.

Since June 2022, Defender for Endpoint has also been able to isolate hacked and unmanaged Windows devices, blocking all communication to and from the compromised devices to stop attackers from spreading through victims' networks.

Microsoft also started testing device isolation support for Defender for Endpoint on onboarded Linux devices, with the capability reaching general availability on macOS and Linux in October 2023.

The same month, the company revealed that Defender for Endpoint could also isolate compromised user accounts to block lateral movement in hands-on-keyboard ransomware attacks using automatic attack disruption.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal.

The extensions, which so far number at least 35, use the same code patterns, connect to some of the same servers, and require the same list of sensitive systems permissions, including the ability to interact with web traffic on all URLs visited, access cookies, manage browser tabs, and execute scripts. In more detail, the permissions are:

• Tabs: manage and interact with browser windows
• Cookies: set and access stored browser cookies based on cookie or domain names (ex., "Authorization" or "all cookies for GitHub.com")
• WebRequest: intercept and modify web requests the browser makes
• Storage: ability to store small amounts of information persistently in the browser (these extensions store their command & control configuration here)
• Scripting: the ability to inject new JavaScript into webpages and manipulate the DOM
• Alarms: an internal messaging service to trigger events. The extension uses this to trigger events like a cron job, as it can allow for scheduling the heartbeat callbacks by the extension
• :: This works in tandem with other permissions like webRequest, but allows for the extension to functionally interact with all browsing activity (completely unnecessary for an extension that should just look at your installed extensions)

These sorts of permissions give extensions the ability to do all sorts of potentially abusive things and, as such, should be judiciously granted only to trusted extensions that can’t perform core functions without them.

Dubious or suspicious

“At this point, this information should be enough for any organization to reasonably kick this out of their environment as it presents unnecessary risk,” John Tuckner, founder of browser extension analysis firm Secure Annex and the researcher who stumbled on the cluster of extensions, wrote in a post published Thursday. In an email, he said the only permission required for some extensions is management. “Some of the other extensions like the 'Browse Securey' might traditionally require more permissions like 'webRequest' to block malicious sites, but things like access to 'cookies' are definitely not needed across the full list,” he said.

The extensions share other dubious or suspicious similarities. Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.

All but one of them are unlisted in the Chrome Web Store. This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they don’t appear in the Web Store or search engine search results. It’s unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.

Additionally, 10 of them are stamped with the “Featured” designation, which Google reserves for developers whose identities have been verified and “follow our technical best practices and meet a high standard of user experience and design.”

One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions. One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code:

One domain in particular—unknow.com—is listed in the remaining 34 apps.

Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior. When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage. Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it. Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening. He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category “browser_action_clicked.” He tried to trigger additional events but came up empty-handed.

So Tuckner tried a new tactic. He found a configuration someone had uploaded years earlier to GitHub for Browse Securely for Chrome, another extension in his list (it has since changed its name to Secured Connection by Security Browse. The GitHub user who uploaded the file did so because they believed the extension was malicious.

When Tuckner loaded the unique ID for this extension into his installation of Fire Shield, it suddenly started sending a variety of events to the server that tracked user behaviors, such as what websites he was visiting, what sites had preceded that visit, and the size of his display screen. The researcher still hasn’t found proof that Fire Shield or any of the other extensions are malicious, but what he saw was enough to remove all reasonable doubt.

“While I could not find an instance of the extension exfiltrating credentials, this level of obfuscation, along with the ability for the extension’s configuration to be remotely controlled, and the capabilities in the browser extension’s code is enough for me to come to the same conclusion that all of these extensions include some kind of spyware or infostealer,” he wrote. “That is ultimately the problem and threat these extensions pose when they can be controlled remotely.”

The discovery serves as the latest reminder that there are real-world consequences to installing extensions for Chrome, Firefox, or any other browser, just as there are consequences for installing phone apps. Google, Apple, and others continually nudge us to install as many of these as we can. This is poor advice. Extensions and apps should be installed only when they provide a benefit that can’t be obtained otherwise. Even then, they should be installed only after reading recent reviews to see what kind of experiences others have had and looking into the developer. These steps are particularly important when installing extensions or apps from Google, given the much higher incidence of malice being reported over the past decade from its offerings.

The full list of extensions is:

• Choose Your Chrome Tools
• Fire Shield Chrome Safety
• Safe Search for Chrome
• Fire Shield Extension Protection
• Browser Checkup for Chrome by Doctor
• Protecto for Chrome
• Unbiased Search by Protecto
• Securify Your Browser
• Web Privacy Assistant
• Securify Kid Protection
• Bing Search by Securify
• Browse Securely for Chrome
• Better Browse by SecurySearch
• Check My Permissions for Chrome
• Website Safety for Chrome
• MultiSearch for Chrome
• Global search for Chrome
• Map Search for Chrome
• Watch Tower Overview
• Incognito Shield for Chrome
• In Site Search for Chrome
• Privacy Guard for Chrome
• Yahoo Search by Ghost
• Private Search for Chrome
• Total Safety for Chrome
• Data Shield for Chrome
• Browser WatchDog for Chrome
• Incognito Search for Chrome
• Web Results for Chrome
• Cuponomia - Coupon and Cashback
• Securify for Chrome
• Securify Advanced Web Protection
• News Search for Chrome
• SecuryBrowse for Chrome
• Browse Securely for Chrome

Extension IDs and other indicators of compromise appear in Thursday's post and this spreadsheet compiled by Tuckner. Anyone who has one of these extensions installed should remove it immediately. Google didn’t immediately respond to questions asking if the company is investigating and what vetting it performed in awarding the Featured designation to some of these apps. Questions sent to some of the email addresses listed in the extension policies also didn't receive responses.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Spammers used OpenAI to generate messages that were unique to each recipient, allowing them to bypass spam-detection filters and blast unwanted messages to more than 80,000 websites in four months, researchers said Wednesday.

The finding, documented in a post published by security firm SentinelOne’s SentinelLabs, underscores the double-edged sword wielded by large language models. The same thing that makes them useful for benign tasks—the breadth of data available to them and their ability to use it to generate content at scale—can often be used in malicious activities just as easily. OpenAI revoked the spammers’ account after receiving SentinelLabs’ disclosure, but the four months the activity went unnoticed shows how enforcement is often reactive rather than proactive.

“You are a helpful assistant”

The spam blast is the work of AkiraBot—a framework that automates the sending of messages in large quantities to promote shady search optimization services to small- and medium-size websites. AkiraBot used python-based scripts to rotate the domain names advertised in the messages. It also used OpenAI’s chat API tied to the model gpt-4o-mini to generate unique messages customized to each site it spammed, a technique that likely helped it bypass filters that look for and block identical content sent to large numbers of sites. The messages are delivered through contact forms and live chat widgets embedded into the targeted websites.

“AkiraBot’s use of LLM-generated spam message content demonstrates the emerging challenges that AI poses to defending websites against spam attacks,” SentinelLabs researchers Alex Delamotte and Jim Walter wrote. “The easiest indicators to block are the rotating set of domains used to sell the Akira and ServiceWrap SEO offerings, as there is no longer a consistent approach in the spam message contents as there were with previous campaigns selling the services of these firms.”

AkiraBot worked by assigning the following role to OpenAI’s chat API using the model gpt-4o-mini: “You are a helpful assistant that generates marketing messages.” A prompt instructed the LLM to replace the variables with the site name provided at runtime. As a result, the body of each message named the recipient website by name and included a brief description of the service provided by it.

“The resulting message includes a brief description of the targeted website, making the message seem curated,” the researchers wrote. “The benefit of generating each message using an LLM is that the message content is unique and filtering against spam becomes more difficult compared to using a consistent message template which can trivially be filtered.”

SentinelLabs obtained log files AkiraBot left on a server to measure success and failure rates. One file showed that unique messages had been successfully delivered to more than 80,000 websites from September 2024 to January of this year. By comparison, messages targeting roughly 11,000 domains failed. OpenAI thanked the researchers and reiterated that such use of its chatbots runs afoul of its terms of service.

Story updated to modify headline.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Normally, if you receive an attachment, WhatsApp identifies it by its MIME (Multipurpose Internet Mail Extensions) type (for example, a file could be identified as an image, document, or video based on its actual content). However, when you manually open the attachment, WhatsApp uses the file's extension, like .jpg or .exe, to decide how to handle it.

The issue arises if the attachment is crafted with a deliberate mismatch by a threat actor. For example, the MIME type might suggest it's an image (so WhatsApp shows it as an image), but the file extension might actually indicate it’s a program (like .exe).

If the recipient manually opens the attachment, expecting to view a harmless image, the system might instead execute the hidden program. This could allow the attacker’s code to run on the victim's device without their knowledge, potentially causing harm like stealing data, installing malware, or hijacking the system.

Meta, in its security advisory, explains (link1, link2😞

CVE-2025-30401

 

Description: A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.

 

Affected Version Information:

 

• WhatsApp Desktop for Windows (Facebook)
  • Default Status: unaffected
  • affected from 0.0.0 before 2.2450.6

Thus, users are advised to download and install version 2.2450.6 or newer of WhatsApp for Windows. You can get it from the WhatsApp official website or the Microsoft Store.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

SourceForge.net is a legitimate software hosting and distribution platform that also supports version control, bug tracking, and dedicated forums/wikis, making it very popular among open-source project communities.

Although its open project submission model gives plenty of margin for abuse, actually seeing malware distributed through it is a rare occurrence.

The new campaign spotted by Kaspersky has impacted over 4,604 systems, most of which are in Russia.

While the malicious project is no longer available on SourceForge, Kaspersky says the project had been indexed by search engines, bringing traffic from users searching for "office add-ins" or similar.

Fake Office add-ins

The "officepackage" project presents itself as a collection of Office Add-in development tools, with its description and files being a copy of the legitimate Microsoft project 'Office-Addin-Scripts,' available on GitHub.

However, when users search for office add-ins on Google Search (and other engines), they get results pointing to "officepackage.sourceforge.io," powered by a separate web hosting feature SourceForge gives to project owners.

That page mimics a legit developer tool page, showing the "Office Add-ins" and "Download" buttons. If any are clicked, the victim receives a ZIP containing a password-protected archive (installer.zip) and a text file with the password.

The archive contains an MSI file (installer.msi) inflated to 700MB in size to evade AV scans. Running it drops 'UnRAR.exe' and '51654.rar,' and executes a Visual Basic script that fetches a batch script (confvk.bat) from GitHub.

The script performs checks to determine whether it runs on a simulated environment and what antivirus products are active, and then downloads another batch script (confvz.bat) and unpacks the RAR archive.

The confvz.bat script establishes persistence via Registry modifications and the addition of Windows services.

The RAR file contains an AutoIT interpreter (Input.exe), the Netcat reverse shell tool (ShellExperienceHost.exe), and two payloads (Icon.dll and Kape.dll).

The DLL files are a cryptocurrency miner and a clipper. The former hijacks the machine's computational power to mine cryptocurrency for the attacker's account, and the latter monitors the clipboard for copied cryptocurrency addresses and replaces them with attacker-controlled ones.

The attacker also receives the infected system's information via Telegram API calls and can use the same channel to introduce additional payloads to the compromised machine.

This campaign is another example of threat actors exploiting any legitimate platform to gain false legitimacy and bypass protections.

Users are recommended to only download software from trusted publishers who they can verify, prefer the official project channels (in this case GitHub), and scan all downloaded files with an up-to-date AV tool before execution.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Described as a spoofing issue and tracked as CVE-2025-30401, this security flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets.

Meta says the vulnerability impacted all WhatsApp versions and has been fixed with the release of WhatsApp 2.2450.6.

"A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment's filename extension," WhatsApp explained in a Tuesday advisory.

"A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp."

Meta says an external researcher found and reported the flaw via a Meta Bug Bounty submission. The company has yet to share if CVE-2025-30401 was exploited in the wild.

In July 2024, WhatsApp addressed a slightly similar issue that allowed Python and PHP attachments to be executed without warning when recipients opened them on Windows devices with Python installed.

Often targeted in spyware attacks

More recently, following reports from security researchers at the University of Toronto's Citizen Lab, WhatsApp also patched a zero-click, zero-day security vulnerability that was exploited to install Paragon's Graphite spyware.

The company said the attack vector was addressed late last year "without the need for a client-side fix" and decided against assigning a CVE-ID after "reviewing the CVE guidelines published by MITRE, and [its] own internal policies."

On January 31, after mitigating the security issue server-side, WhatsApp alerted roughly 90 Android users from over two dozen countries, including Italian journalists and activists who were targeted in Paragon spyware attacks using the zero-click exploit.

Last December, a U.S. federal judge also ruled that Israeli spyware maker NSO Group used WhatsApp zero-days to deploy Pegasus spyware on at least 1,400 devices, thus violating U.S. hacking laws.

Court documents revealed that NSO allegedly deployed Pegasus spyware in zero-click attacks that exploited WhatsApp vulnerabilities using multiple zero-day exploits. The documents also said that the spyware maker's developers reverse-engineered WhatsApp's code to create tools that sent malicious messages that installed spyware, violating federal and state laws.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Over the past couple of weeks, numerous people have contacted BleepingComputer about concerns that they think Coinbase has a serious security issue.

After receiving Coinbase phishing emails or texts, they logged into their accounts and checked the activity log, finding numerous entries stating "second_factor_failure" or "2-step verification failed" with login attempts from unusual locations.

Two-factor authentication prompts usually occur after a user successfully logs in with their credentials, so they immediately thought that their passwords were compromised and that only 2FA saved them from their account being hacked.

This led them to change their passwords, check for malware, and grow anxious over what they believed was a breach.

Making matters worse, these users claimed to have a complex, unique password at Coinbase, and there were no signs of malware on their devices, making them believe that Coinbase had been breached.

However, it turns out that the "second_factor_failure" or "2-step verification failed" account activity messages are shown in two different scenarios—when a user incorrectly enters the wrong 2FA code or when someone tries to log into their account with the wrong password.

BleepingComputer was able to confirm this by logging into someone's account with the wrong password and the person telling us that their account activity page soon showed the mislabeled 2FA error.

Similar concerns were expressed on Reddit, where users receiving these alerts also confirmed incorrect passwords caused them.

"I think they mean that the error doesnt [sic] give any actual detail of what happened," a Coinbase customer posted to Reddit.

"To me the error means someone has the pw but not 2fa, but thats not what it means. It should probably should be something like "invalid password" if that is what is actually happening."

Coinbase has told BleepingComputer that they are looking into changing the error message when an incorrect password is entered but that there is no time frame as to when this occurs.

Unfortunately, BleepingComputer was told that threat actors use these erroneous error messages as part of social engineering attacks that attempt to breach Coinbase accounts by making targets think their credentials are compromised.

BleepingComputer has not been able to independently verify if this "bug" is being abused in that way.

As a reminder, Coinbase will never text or call you about suspicious activity on your account, so if you receive a phone call or text message, just ignore it and do not engage with the scammers.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

The security issue is tracked as CVE-2025-31334 and affects all WinRAR versions except the most recent release, which is currently 7.11.

Mark of the Web is a security function in Windows in the form of a metadata value (an alternate data stream named ‘zone-identifier’) to tag as potentially unsafe files downloaded from the internet.

When opening an executable with the MotW tag, Windows warns the user that it was downloaded from the internet and could be harmful and offers the option to continue execution or terminate it.

Symlink to executable

The CVE-2025-31334 vulnerability can help a threat actor bypass the MotW security warning when opening a symbolic link (symlink) pointing to an executable file in any WinRAR version before 7.11.

An attacker could execute arbitrary code by using a specially crafted symbolic link. It should be noted that a symlink can be created on Windows only with administrator permissions.

The security issue received a medium severity score of 6.8 and has been fixed in the latest version of WinRAR, as noted in the applications change log:

The vulnerability was reported by Shimamine Taihei of Mitsui Bussan Secure Directions through the Information Technology Promotion Agency (IPA) in Japan.

Japan’s Computer Security Incident Response Team coordinated the responsible disclosure with WinRAR’s developer.

Starting version 7.10, WinRAR provides the possibility to remove from the MotW alternate data stream information (e.g. location, IP address) that could be considered a privacy risk.

Threat actors, including state-sponsored ones, have exploited MotW bypasses in the past to deliver various malware without triggering the security warning.

Recently, Russian hackers leveraged such a vulnerability in the 7-Zip archiver, which did not propagate the MotW when double archiving (archiving a file within another one) to run the Smokeloader malware dropper.

Source

This version (or later) fixes the vulnerability...

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Meanwhile, Mozilla also announced something similar yesterday about user data collection. The company is trying to simplify the way its add-ons and extensions ask for consent for data "collection and transmission" when you install them on your browser. This news is interesting considering the recent backlash the company received regarding user data protection.

Mozilla feels this update will simplify things from both the perspectives of the developer of an add-on as well as the user who installs it. The firm explains the development side benefits first:

In 2025 we will launch a new data consent experience for extensions, built into the Firefox add-on installation flow itself. This will dramatically reduce the:

 

1. development effort required to be compliant with Firefox data policies
2. confusion users faces when installing extensions by providing a more consistent experience, giving them more confidence and control around the data collected or transmitted
3. effort it takes AMO reviewers to evaluate an extension version to ensure it’s compliant with our data collection policies

 

Developers won’t need to bother with creating their own custom data consent experiences. Soon, developers will simply be able to specify in the manifest what types of data the extension collects/transmits and this will automatically be reflected in a unified consent experience across all Firefox extensions

And following that, Mozilla has explained how the new updated consent type will help users:

When a user then adds an extension to Firefox, the installation prompt will show what required types of data the extension collects, if any, alongside a list of permissions that the extension requests. Users will have a choice to opt in/out of providing the optional technical and usage data if the add-on has requested it, as well as any optional data collection the developer requests.

 

As always, the user then has the choice to continue adding the extension if they agree to the required permissions and data collection, or cancel the installation flow.

 

...

 

The data collection information will also be displayed on AMO extension listing pages to help Firefox users make informed download decisions.

If you are wondering, AMO here refers to the addons.mozilla.org website where all the Firefox add-ons and extensions are available. You can find the blog post here on Mozilla's website. The firm adds that more technical details will be published later on the same page. Currently it is still gathering feedback.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

It writes:

The window.external.getHostEnvironmentValue() method is an Edge-only, non-standards-based way for web developers to access information about the browser and platform. ... we’re announcing our plan to deprecate this method and we’re asking web developers to use the standardized User-Agent Client Hints API instead.

Microsoft further explains:

Our decision to deprecate the getHostEnvironmentValue() method is driven by our goal to enhance browser privacy by eliminating user fingerprinting. The UA Client Hints API provides browser and platform information in a much more privacy-preserving way as browsers can decide what to return when asked for hints. Low entropy hints are accessible with every request, while the high entropy hints that can potentially give away more fingerprinting information can be gated with user preferences or behind a permission request.

Thus, the User-Agent Client Hints API builds on the Client Hints framework to let websites access browser and platform details, and essentially, it minimizes the data footprint users leave behind when browsing while still allowing websites to get enough information to provide an optimized experience.

Microsoft has also provided a timeline for the deprecation. The company says that it will be doing so in three steps broadly and plans to fully remove it by October, which aligns with the Windows 10 support death. It writes:

To reduce interoperability issues and to gather feedback, we’re planning to deprecate the non-standard getHostEnvironmentValue() method by following these steps:

 

Edge version	Release date	Deprecation step
Edge 135	April 3, 2025	The DevTools Console warns developers when their code uses the method. Developers can also use a feature flag to test their sites with the method disabled.
Edge 137	May 23, 2025	The method is disabled but can still be used by requesting a temporary extension for your domain.
Edge 141, depending on developer feedback	October 2025	The method is fully removed from Edge.

Microsoft has also added that an extension request is allowed for websites that rely on it. You can find more details about it here on the official blog post.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Those using the app on Windows PCs can now download a redesigned version with a reworked user interface, more intuitive navigation, and overall a better experience. Proton also redesigned the Settings menu so that features like Kill Switch, Port Forwarding, Split Tunneling, and more are easier to access. On the personalization side, you can now have the app in light mode.

In addition to the big redesign, Proton is bringing profiles to Windows and Android. This feature is available for paid users, and it allows the creation of personalized profiles for specific scenarios. Each profile can have its country, city, server, protocol, and other parameters that suit your needs best. For example, you can have one profile for general web surfing, one profile for gaming, one for video streaming, and more.

Profile setup also includes preset configurations tailored for improved privacy, streaming services, gaming, P2P connections, and more.

A similar update is also available for iOS, where users can access a new Home Screen with settings personalization and recent locations. Plus, Proton VPN for iOS and Android has a home screen widget that lets you enable VPN and connect to pinned or recent connections without opening the app. Widgets also support profiles.

The redesigned Proton VPN app for Windows and iOS is now available for download. On Windows, you can get it by heading to Menu > About (the app will check for updates automatically). On iOS, the update is available in the App Store via this link.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

Microsoft recently shared that over one billion users will get a new account login experience. Part of that new experience is a push for passwordless login.

Microsoft has nudged users away from passwords for several years. Now, the company is making passwordless login a core part of the Microsoft account experience.

"Over the last few years, we’ve introduced several enhancements, including the ability to completely remove the password from your account and support for passkey sign in instead of using a password," said Microsoft." Our new UX is optimized for a passwordless and passkey-first experience."

Microsoft wants people to use passkeys because passwords are not secure. Other tech giants, including Apple and Google, also support passkeys.

The push to passkeys is about more than getting people to embrace a more secure method of logging in. Microsoft needs to convince users to move away from passwords entirely.

"Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing," said the tech giant last December. "Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials."

The new Microsoft account experience should help people transition away from passwords.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices.

Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison.

Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device.

While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.

"While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker," explains Microsoft.

"The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities."

"Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement."

Below is a summary of the flaws Microsoft uncovered in GRUB2:

• CVE-2024-56737 – Buffer overflow in HFS filesystem mounting due to unsafe strcpy on a non-null-terminated string
• CVE-2024-56738 – Side-channel attack in cryptographic comparison function (grub_crypto_memcmp not constant-time)
• CVE-2025-0677 – Integer overflow in UFS symbolic link handling leads to buffer overflow
• CVE-2025-0678 – Integer overflow in Squash4 file reading leads to buffer overflow
• CVE-2025-0684 – Integer overflow in ReiserFS symbolic link handling leads to buffer overflow
• CVE-2025-0685 – Integer overflow in JFS symbolic link handling leads to buffer overflow
• CVE-2025-0686 – Integer overflow in RomFS symbolic link handling leads to buffer overflow
• CVE-2025-0689 – Out-of-bounds read in UDF block processing
• CVE-2025-0690 – Signed integer overflow and out-of-bounds write in read command (keyboard input handler)
• CVE-2025-1118 – dump command allows arbitrary memory read (should be disabled in production)
• CVE-2025-1125 – Integer overflow in HFS compressed file open causes buffer overflow

All of the above flaws are rated medium severity, except for CVE-2025-0678, which is rated "high" (CVSS v3.1 score: 7.8).

Microsoft says Security Copilot dramatically accelerated the vulnerability discovery process in a large and complex codebase, such as GRUB2, saving approximately 1 week of time that would be required for manual analysis.

Not only did the AI tool identify the previously undiscovered flaws, but it also provided targeted mitigation recommendations that could provide pointers and accelerate the issuing of security patches, especially in open-source projects supported by volunteer contributors and small core teams.

Using the findings in the analysis, Microsoft says Security Copilot found similar bugs in projects utilizing shared code with GRUB2, such as U-boot and Barebox.

GRUB2, U-boot, and Barebox released security updates for the vulnerabilities in February 2025, so updating to the latest versions should mitigate the flaws.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.

"The fact that we've seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold," explains Sucuri's security analyst Puja Srivastava.

"Must-have" malware

Must-Use Plugins (mu-plugins) are a special type of WordPress plugin that automatically execute on every page load without needing to be activated in the admin dashboard.

They are PHP files stored in the 'wp-content/mu-plugins/' directory that automatically execute when the page is loaded, and they are not listed in the regular "Plugins" admin page unless the "Must-Use" filter is checked.

Mu-plugins have legitimate use cases such as enforcing site-wide functionality for custom security rules, performance tweaks, and dynamically modifying variables or other code.

However, because MU-plugins run on every page load and don't appear in the standard plugin list, they can be used to stealthily perform a wide range of malicious activity, such as stealing credentials, injecting malicious code, or altering HTML output.

Sucuri has discovered three payloads that attackers are planting in the mu-plugins directory, which appears to be part of financially motivated operations.

These are summarized as follows:

1. redirect.php: Redirects visitors (excluding bots and logged-in admins) to a malicious website (updatesnow[.]net) that displays a fake browser update prompt to trick them into downloading malware.
2. index.php: Webshell that acts as a backdoor, fetching and executing PHP code from a GitHub repository.
3. custom-js-loader.php: Loads JavaScript that replaces all images on the site with explicit content and hijacks all outbound links, opening shady popups instead.

The webshell case is particularly dangerous as it allows the attackers to remotely execute commands on the server, steal data, and launch downstream attacks on members/visitors.

The other two payloads can also be damaging as they hurt a site's reputation and SEO scores due to shady redirections and attempt to install malware on visitor's computers.

Sucuri has not determined the exact infection pathway but hypothesizes that attackers exploit known vulnerabilities on plugins and themes or weak admin account credentials.

It is recommended that WordPress site admins apply security updates on their plugins and themes, disable or uninstall those that aren't needed, and protect privileged accounts with strong credentials and multi-factor authentication.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend  

The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default.

Linux user namespaces allow users to act as root inside an isolated sandbox (namespace) without having the same privileges on the host.

Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse.

Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways.

“Qualys TRU uncovered three distinct bypasses of these namespace restrictions, each enabling local attackers to create user namespaces with full administrative capabilities,” the researchers say.

“These bypasses facilitate exploiting vulnerabilities in kernel components requiring powerful administrative privileges within a confined environment” - Qualys

The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system.

Qualys provides technical details for the three bypass methods, which are summarized as follows:

1. Bypass via aa-exec: Users can exploit the aa-exec tool, which allows running programs under specific AppArmor profiles. Some of these profiles - like trinity, chrome, or flatpak - are configured to allow creating user namespaces with full capabilities. By using the unshare command through aa-exec under one of these permissive profiles, an unprivileged user can bypass the namespace restrictions and increase privileges within a namespace.
2. Bypass via busybox: The busybox shell, installed by default on both Ubuntu Server and Desktop, is associated with an AppArmor profile that also permits unrestricted user namespace creation. An attacker can launch a shell via busybox and use it to execute unshare, successfully creating a user namespace with full administrative capabilities.
3. Bypass via LD_PRELOAD: This technique leverages the dynamic linker’s LD_PRELOAD environment variable to inject a custom shared library into a trusted process. By injecting a shell into a program like Nautilus - which has a permissive AppArmor profile - an attacker can launch a privileged namespace from within that process, bypassing the intended restrictions.

Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.

Canonical’s response and mitigations

Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys’ findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections.

A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.

In a bulletin published on the official discussion forum (Ubuntu Discourse), the company shared the following hardening steps that administrators should consider:

• Enable kernel.apparmor_restrict_unprivileged_unconfined=1 to block aa-exec abuse. (not enabled by default)
• Disable broad AppArmor profiles for busybox and Nautilus, which allow namespace creation.
• Optionally apply a stricter bwrap AppArmor profile for applications like Nautilus that rely on user namespaces.
• Use aa-status to identify and disable other risky profiles.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight.

The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1.

While Mozilla didn't share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google earlier this week.

"Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape," Mozilla said in a Thursday advisory.

"The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected."

Chrome zero-day exploited to target Russia

Kaspersky's Boris Larin and Igor Kuznetsov, who discovered and reported CVE-2025-2783 to Google, said on Tuesday that the zero-day was exploited in the wild to bypass Chrome sandbox protections and infect targets with sophisticated malware.

They spotted CVE-2025-2783 exploits deployed in a cyber-espionage campaign dubbed Operation ForumTroll, targeting Russian government organizations and journalists at unnamed Russian media outlets.

"The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist," they said.

"The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, 'Primakov Readings,' targeting media outlets, educational institutions and government organizations in Russia."

In October, Mozilla also patched a zero-day vulnerability (CVE-2024-9680) in Firefox's animation timeline feature exploited by the Russian-based RomCom cybercrime group that let the attackers gain code execution in the web browser's sandbox.

The flaw was chained with a Windows privilege escalation zero-day (CVE-2024-49039) that allowed the Russian hackers to execute code outside the Firefox sandbox. Their victims were tricked into visiting an attacker-controlled website that downloaded and executed the RomCom backdoor on their systems.

Months earlier, it fixed two Firefox zero-day vulnerabilities one day after they were exploited at the Pwn2Own Vancouver 2024 hacking competition.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For nearly a decade, that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.

The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory. The best password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks.

Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.

Updated March 2025: We've updated our review of Dashlane based on recent testing, added NordPass back, and have more details on the status of passkey support.

Bitwarden

Bitwarden (9/10, WIRED Recommends) is secure, open source, and free with no limits. The applications are polished and user-friendly, making the service the best choice for most users. Did I mention it’s open source? That means the code that powers Bitwarden is freely available for anyone to inspect, seek out flaws, and fix. In theory, the more eyes on the code, the more airtight it becomes. Bitwarden was also audited for 2023 by a third party to ensure it’s secure. You can install it on a local server for easy self-hosting if you prefer to run your own cloud.

There are apps for Android, iOS, Windows, macOS, and Linux, as well as extensions for all major web browsers. Bitwarden also supports Windows Hello and Touch ID on its desktop apps for Windows and macOS, giving users the added security of those biometric authentication systems. The web interface (which I frequently use) recently underwent a redesign, which makes it much cleaner and easier to use.

Bitwarden supports passwordless authentication, meaning you can log in with a one-time code, biometric authentication, or a security key. Bitwarden also has excellent support for passkeys, including the ability to log into Bitwarden with a passkey, which means you don't need to use your username or password even to open your vault. There’s also some extras, like a feature to securely share files (called Bitwarden Send), an authenticator app (paid only), and an extremely active and helpful community.

I like Bitwarden’s semi-automated password fill-in tool. If you visit a site you’ve saved credentials for, Bitwarden’s browser icon shows the number of saved credentials from that site. Click the icon, and it will ask which account you want to use and then automatically fill in the login form. This makes it easy to switch between usernames and avoid the pitfalls of autofill. If you simply must have your fully automated form-filling feature, Bitwarden supports that as well.

Bitwarden offers paid upgrade accounts. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage and two-factor authentication with devices like YubiKey, FIDO U2F, and Duo, plus a password hygiene and vault health report. You also get priority customer support with a paid account.

After signing up, download the app for Windows, macOS, Android, iOS, or Linux. There are also browser extensions for Firefox, Chrome, Safari, Edge, Vivaldi, and Brave.

1Password

What sets 1Password apart from the other options in this list is the number of extras it offers. Like other password managers, 1Password has apps for every major platform, including macOS, iOS, Android, Windows, Linux, and ChromeOS. There’s even a command-line tool that will work anywhere. There are plug-ins for your favorite web browser, which makes it easy to generate and edit new passwords on the fly.

I still find BitWarden to be a more economical choice for most people, but 1Password has some very nice features you won't find elsewhere. If you frequently travel across national borders, you’ll appreciate my favorite perk: Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, including law enforcement at international borders, from accessing your complete password vault.

It's worth noting that 1Password uses a combination of two keys to unlock your account: your password and an additional generated secret key. While that does add a layer of security that will protect against weak passwords, it also means part of what you need to unlock your passwords is something you did not create. 1Password does make sure you have this key as an item in your “emergency kit,” but I still prefer pairing a self-generated password with a Yubikey.

In addition to being a password manager, 1Password can act as an authentication app like Google Authenticator. For added security, it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords. (This can be mitigated by setting up a custom group with the “Recover Accounts” permission.)

1Password also offers tight integration with other mobile apps. Rather than copying and pasting passwords from your password manager to other apps (which puts your password on the clipboard, at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.

After signing up, download the app for Windows, macOS, Android, iOS, Chrome OS, or Linux. There are also browser extensions for Firefox, Chrome, Brave, and Edge.

Dashlane

Dashlane offers most of what you'll find in our other picks. The company doesn’t offer a desktop app, but I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, that omission is something to be aware of, but in my testing, it isn't a big deal. Dashlane uses the same AES 256-bit encryption in a zero-knowledge system, which means passwords are only ever decrypted on your device. Dashlane uses multifactor authentication if you want, via an authenticator app or a hardware key like the Yubikey.

Dashlane is considerably more expensive than Bitwarden or 1Password, but that extra money does get you some additional security features, like Site Breach Alerts, which let you know if any web services you use have leaked your data. Dashlane also actively monitors the darker corners of the web, looking for leaked or stolen personal data, and it alerts you if your information has been compromised. There's even a Phishing Alert system that will stop you from entering credentials on a site with a spoofed URL. This last feature is incredibly useful if you happen to be setting up less tech-savvy relatives or friends with a password manager. Dashlane's phishing protection can save them from themselves. Dashlane also offers a VPN through Hotspot Shield VPN. I have not tested the Dashlane integration, but in testing Hotspot Shield on its own, I've always found it too slow to recommend in my VPN guide.

Setup and migration to Dashlane from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like BitWarden’s setup process. In practice, Dashlane is very similar to the others on this list. Dashlane offers a 30-day free trial, so you can test it out before committing.

After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

NordPass

You might know Nord better for its VPN service, but the company also offers a password manager, NordPass, and a pretty nice online storage system, NordLocker. A part of the appeal of NordPass comes in bundling it with the company's other services for some compelling deals. As a password manager, NordPass offers everything you need. It uses a zero-knowledge setup in which all data is encrypted on your device before it’s uploaded to the company’s servers. Unlike most services here, NordPass uses XChaCha20 for encryption. It would require a deep dive into cryptography to get into the differences, but the short story is that it's just as secure and maybe slightly faster.

There’s also a personal information storage feature to keep your address, phone number, and other personal data safe and secure, but easy to access. NordPass also offers an emergency access feature, which allows you to grant another NordPass user emergency access to your vault. It works just like the same feature in 1Password, allowing trusted friends or family to access your account if you cannot.

Other nice features include support for two-factor authentication to sign in to your account, as well as security tools to evaluate the strength of your passwords and alert you if any of your data is compromised. Note that NordPass Premium is theoretically $3 a month, but there are always sales that bring that much lower. The downside, and my one gripe about all Nord services, is that there is no monthly plan. As noted above, the best deal comes in combining NordPass, NordVPN, and NordLocker for a bundled deal.

After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

Want to retain more control over your data in the cloud? Sync your password vault yourself. The services below do not store any of your data on their servers. This means attackers have nothing to target. Instead of storing your passwords, these services use a local vault to store your data, and then you can sync that vault using a file-syncing service like Dropbox, NextCloud, or Edward Snowden’s recommended service, SpiderOak. There are two services to keep track of in this scenario, making it a little more complex. But if you’re already using a file-syncing file service, this can be a good option.

Enpass

Enpass does not store any data on its servers. Syncing is handled through third-party services. Enpass doesn’t do the syncing, but it does offer apps on every platform. That means once you have syncing set up, it works just like any other service. And you don’t have to worry about Enpass being hacked, because your data isn’t on its servers. Enpass supports syncing through Dropbox, Google Drive, OneDrive, iCloud, Box, Nextcloud, or any service using WebDAV. Alas, SpiderOak is not currently supported. You can also synchronize your data over a local WLAN or Wi-Fi network.

All of the features you expect in a password manager are here, including auto-generating passwords, breach-monitoring, biometric login (for devices that support it), auto-filling passwords, and options to store other types of data, like credit cards and identification data. There’s also a password audit feature to highlight any weak or duplicate passwords in your vault. One extra I particularly like is the ability to tag passwords for easier searching. Enpass also makes setting up the syncing through the service of your choice very easy. Enpass recently added support for passkeys.

Enpass is free to use on Windows, Mac, and Linux.  The mobile version syncs up to 25 items in one vault for free. For more than that, you’ll want to sign up for the paid service.

After signing up, download the app for Mac, Windows, Linux, Android, and iOS, and grab the browser extensions for Chrome, Vivaldi, Edge, and Firefox.

KeePassXC

KeePassXC works like Enpass above. It stores your passwords in an encrypted digital vault that keeps you secure with a master password, a key file, or both. You sync that database file yourself using a file-syncing service. Once your file is in the cloud, you can access it on any device that has a KeePassXC client. Like Bitwarden, KeePassXC is open source, which means its code can be and has been inspected for critical flaws. If you’re an advanced user and comfortable handling your own issues and support, KeePassXC makes a great choice.

The downside of KeePassXC is that it doesn’t have official mobile clients. However, third-party apps are available for iOS and Android.

Download the desktop app for Windows, macOS, or Linux and create your vault. There are also extensions for Firefox, Edge, and Chrome. The project does not offer apps for phones. Instead, it recommends KeePass2Android or Strongbox for iPhone.

Password managers are not a one-size-fits-all solution. Our top picks cover most use cases and are the best choices for most people, but your needs may be different. Fortunately, there are plenty of good password managers out there. Here are some more we’ve tested and like.

Keeper offers a variety of security-related tools, including a password manager. Keeper works much like 1Password and others, storing only your encrypted data, and it offers two-factor authentication for logging in to your account. Like Dashlane, Keeper has a lot of extras, including dark-web monitoring, meaning it will check publicly posted data to make sure yours isn’t available.

RoboForm has most of the same features as the rest on this list, but it lacks some of the things that differentiate our top picks, like Bitwarden’s open source aspect and 1Password’s travel features. I’ve been testing the free plan for a while and haven’t run into any problems. There are apps for every common platform, and it’s easy to use. RoboForm recently completed an independent security audit and came out looking good.

Pass is a command-line wrapper around GPG (GNU Privacy Guard), which means it is only for the nerdiest users. It supports managing encrypted .gpg files in Git, and third-party mobile apps are available. It’s not for everyone. For years, this was my password manager of choice, but eventually, Bitwarden's ease of use won me over.

LastPass has had more bad security breaches than any other service on this page, which led us to remove it from our top picks. Since then, the company has changed hands and appears to be better security-wise, which is good because many people still use it. That said, there is nothing about LastPass that makes it a more compelling choice than Bitwarden, 1Password, or the others mentioned in this guide.

The best and most secure cryptographic algorithms are all available via open source programming libraries. On the one hand, this is great, as any app can incorporate these ciphers and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and cryptography alone won’t keep your passwords safe.

This is what I test for: What are the weakest links? Is your master password sent to the server? Every password manager says it isn’t, but if you watch network traffic while you enter a password, sometimes you find, well, it is. I also dig into how mobile apps work: Do they, for example, leave your password store unlocked but require a PIN to get back in? That’s convenient, but it sacrifices too much security. No password manager is perfect, but the ones above represent the best I’ve tested. They’re as secure as they can be while remaining easy to use.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

VMware Tools is a suite of drivers and utilities designed to improve performance, graphics, and overall system integration for guest operating systems running in VMware virtual machines.

The vulnerability (CVE-2025-22230) is caused by an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies (a sanctioned Russian cybersecurity company accused of trafficking hacking tools).

Local attackers with low privileges can exploit it in low-complexity attacks that don't require user interaction to gain high privileges on vulnerable VMs.

"A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM," VMware explains in a security advisory published on Tuesday.

Earlier this month, Broadcom also patched three VMware zero days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), which were tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center.

As the company explained at the time, attackers with privileged administrator or root access can chain these vulnerabilities to escape the virtual machine's sandbox.

Days after patches were released, threat monitoring platform Shadowserver found over 37,000 internet-exposed VMware ESXi instances vulnerable to CVE-2025-22224 attacks.

Ransomware gangs and state-sponsored hackers frequently target VMware vulnerabilities, as VMware products are widely used in enterprise operations to store or transfer sensitive corporate data.

For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China's 2024 Matrix Cup hacking contest.

In January 2024, Broadcom also disclosed that Chinese state hackers had used a critical vCenter Server zero-day vulnerability (CVE-2023-34048) since late 2021 to deploy VirtualPita and VirtualPie backdoors on affected ESXi systems.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The flaw, tracked as CVE-2025-29927, enables attackers to send requests that reach destination paths without going through critical security checks.

Next.js is a popular React framework with more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization.

Front-end and full-stack developers use it to build web apps with React. Some of the more notable companies using it for their sites/apps are TikTok, Twitch, Hulu, Netflix, Uber, and Nike.

Authorization bypass

In Next.js, middleware components run before a request hits an application routing system and serve purposes like authentication, authorization, logging, error handling, redirecting users, applying geo-blocking or rate limits.

To prevent infinite loops where middleware re-triggers itself, Next.js uses a header called 'x-middleware-subrequest' that dictates if middleware functions should be applied or not.

The header is retrieved by the 'runMiddleware' function responsible for processing incoming requests. If it detects the 'x-middleware-subrequest' header, with a specific value, the entire middleware execution chain is bypassed and the request is forwarded to its destination.

An attacker can manually send a request that includes the header with a correct value and thus bypass protection mechanisms.

According to researchers Allam Rachid and Allam Yasser (inzo_), who discovered the vulnerability and published a technical write-up, "the header and its value act as a universal key allowing rules to be overridden."

The vulnerability impacts all Next.js versions before 15.2.3, 14.2.25, 13.5.9. and 12.3.5. Users are recommended to upgrade to newer revisions as soon as possible, since technical details for exploiting the security issue are public.

Next.js' security bulletin clarifies that CVE-2025-29927 impacts only self-hosted versions that use 'next start' with 'output: standalone'. Next.js apps apps hosted on Vercel and Nerlify, or deployed as static exports, are not affected.

Also affected are environments where middleware is used for authorization or security checks and there is no validation later in the application.

If patching is not possible at the time, the recommendation is to block external user requests that include the 'x-middleware-subrequest header'.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The Google Maps Timeline has long been a useful though slightly uncomfortable feature that maintains a complete record of everywhere your phone goes (and probably you with it). Google recently changed the way it stored timeline data to improve privacy, but the company now confirms that a "technical issue" resulted in many users losing their timeline history altogether, and there might not be any way to recover it.

Timeline, previously known as Location History, is very useful if you need to figure out where you were on a particular day or if you just can't remember where you found that neat bar on your last vacation. Many Google users grew quite fond of having access to that data. However, Google had access to it, too. Starting in 2024, Google transitioned to storing Timeline data only on the user's individual smartphone instead of backing it up to the cloud. You can probably see where this is going.

Users started piping up over the past several weeks, posting on the Google support forums, Reddit, and other social media that their treasured Timeline data had gone missing. Google has been investigating the problem, and the news isn't good. In an email sent out over the weekend, Google confirmed what many already feared: Maps has accidentally deleted Timeline data on countless devices.

A Google spokesperson confirmed this is the result of a technical issue and not user error or an intentional change. It's unclear how this happened, but we'd wager on a botched Maps update. Google usually rolls out updates in waves, and it's possible that the defective build in this case made it to a large number of devices before it was stopped.

You have exactly one possible fix for this issue, but only if you planned ahead. When Google began the full change-over to local storage of Timeline data, it added several settings to control the feature. While the data is stored locally by default, you have the option of creating encrypted backups in the cloud. If you did that, you should be able to restore the data.

Google's email alert, along with the location of Google's backup button.

Credit: Google

To check for backed-up Timeline data, open Maps and go to the Timeline section. There should be a cloud icon at the top with an arrow—if it's a cloud with a line through it, you're out of luck. Tapping the enabled icon should let you download a backup of your data. According to Google, if you did not have encrypted backups enabled, the data is gone forever.

To cloud or not to cloud?

Google has taken a more cautious approach to storing location data in recent years. The changes to Maps date back to 2023, when the company announced it would no longer log certain types of data, including visits to abortion clinics, domestic violence shelters, and more. Moving Timeline off of its servers and onto individual devices in late 2024 would theoretically protect user privacy if Google were forced to hand over account data to law enforcement.

However, there are reasons we keep things in the cloud. For one, they're more accessible. When Google transitioned Timeline data to on-device, users lost the ability to view their location history on the web. More importantly, it's harder to lose data when it's backed up on a server that Google manages. It's good that Google still supports a secure backup option, but it's not on by default. Again, that's understandable, given the aim of improving privacy, but a lot of people are wishing the backups were automatic today.

Many longtime Maps users have expressed genuine sorrow over losing years of data to this glitch. Some say they believed they had encrypted backups enabled, only to find they had no data to restore. This is probably a good time to check your Maps settings if you, too, have vast swaths of historic location data living only on your phone.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

One day soon, at a research lab near Santa Barbara or Seattle or a secret facility in the Chinese mountains, it will begin: the sudden unlocking of the world’s secrets. Your secrets.

Cybersecurity analysts call this Q-Day—the day someone builds a quantum computer that can crack the most widely used forms of encryption. These math problems have kept humanity’s intimate data safe for decades, but on Q-Day, everything could become vulnerable, for everyone: emails, text messages, anonymous posts, location histories, bitcoin wallets, police reports, hospital records, power stations, the entire global financial system.

“We’re kind of playing Russian roulette,” says Michele Mosca, who coauthored the most recent “Quantum Threat Timeline” report from the Global Risk Institute, which estimates how long we have left. “You’ll probably win if you only play once, but it’s not a good game to play.” When Mosca and his colleagues surveyed cybersecurity experts last year, the forecast was sobering: a one-in-three chance that Q-Day happens before 2035. And the chances it has already happened in secret? Some people I spoke to estimated 15 percent—about the same as you’d get from one spin of the revolver cylinder.

The corporate AI wars may have stolen headlines in recent years, but the quantum arms race has been heating up too. Where today’s AI pushes the limits of classical computing—the kind that runs on 0s and 1s—quantum technology represents an altogether different form of computing. By harnessing the spooky mechanics of the subatomic world, it can run on 0s, 1s, or anything in between. This makes quantum computers pretty terrible at, say, storing data but potentially very good at, say, finding the recipe for a futuristic new material (or your email password). The classical machine is doomed to a life of stepwise calculation: Try one set of ingredients, fail, scrap everything, try again. But quantum computers can explore many potential recipes simultaneously.

So, naturally, tech giants such as Google, Huawei, IBM, and Microsoft have been chasing quantum’s myriad positive applications—not only for materials science but also communications, drug development, and market analysis. China is plowing vast resources into state-backed efforts, and both the US and the European Union have pledged millions in funding to support homegrown quantum industries. Of course, whoever wins the race won’t just have the next great engine of world-saving innovation. They’ll also have the greatest code-breaking machine in history. So it’s normal to wonder: What kind of Q-Day will humanity get—and is there anything we can do to prepare?

If you had a universal picklock, you might tell everyone—or you might keep it hidden in your pocket for as long as you possibly could. From a typical person’s vantage point, maybe Q-Day wouldn’t be recognizable as Q-Day at all. Maybe it would look like a series of strange and apparently unconnected news stories spread out over months or years. London’s energy grid goes down on election day, plunging the city into darkness. A US submarine on a covert mission surfaces to find itself surrounded by enemy ships. Embarrassing material starts to show up online in greater and greater quantities: classified intelligence cables, presidential cover-ups, billionaires’ dick pics. In this scenario, it might be decades before we’re able to pin down exactly when Q-Day actually happened.

Then again, maybe the holder of the universal picklock prefers the disaster-movie outcome: everything, everywhere, all at once. Destroy the grid. Disable the missile silos. Take down the banking system. Open all the doors and let the secrets out.

Suppose you ask a classical computer to solve a simple math problem: Break the number 15 into its smallest prime factors. The computer would try all the options one by one and give you a near-instantaneous answer: 3 and 5. If you then ask the computer to factor a number with 1,000 digits, it would tackle the problem in exactly the same way—but the calculation would take millennia. This is the key to a lot of modern cryptography.

Take RSA encryption, developed in the late 1970s and still used for securing email, websites, and much more. In RSA, you (or your encrypted messaging app of choice) create a private key, which consists of two or more large prime numbers. Those numbers, multiplied together, form part of your public key. When someone wants to send you a message, they use your public key to encrypt it. You’re the only person who knows the original prime numbers, so you’re the only person who can decrypt it. Until, that is, someone else builds a quantum computer that can use its spooky powers of parallel computation to derive the private key from the public one—not in millennia but in minutes. Then the whole system collapses.

The algorithm to do this already exists. In 1994, decades before anyone had built a real quantum computer, an AT&T Bell Labs researcher named Peter Shor designed the killer Q-Day app. Shor’s algorithm takes advantage of the fact that quantum computers run not on bits but on qubits. Rather than being locked in a state of 0 or 1, they can exist as both simultaneously—in superposition. When you run an operation on a handful of qubits in a given quantum state, you’re actually running that same operation on those same qubits in all their potential quantum states. With qubits, you’re not confined to trial and error. A quantum computer can explore all potential solutions simultaneously. You’re calculating probability distributions, waves of quantum feedback that pile onto each other and peak at the correct answer. With Shor’s algorithm, carefully designed to amplify certain mathematical patterns, that’s exactly what happens: Large numbers go in one end, factors come out the other.

In theory, at least. Qubits are incredibly difficult to build in real life, because the slightest environmental interference can nudge them out of the delicate state of superposition, where they balance like a spinning coin. But Shor’s algorithm ignited interest in the field, and by the 2010s, a number of projects were starting to make progress on building the first qubits. In 2016, perhaps sensing the nascent threat of Q-Day, the US National Institute for Standards and Technology (NIST) launched a competition to develop quantum-proof encryption algorithms. These largely work by presenting quantum computers with complex multidimensional mazes, called structured lattices, that even they can’t navigate without directions.

In 2019, Google’s quantum lab in Santa Barbara claimed that it had achieved “quantum supremacy.” Its 53-qubit chip could complete in just 200 seconds a task that would have taken 100,000 conventional computers about 10,000 years. Google’s latest quantum processor, Willow, has 105 qubits. But to break encryption with Shor’s algorithm, a quantum computer will need thousands or even millions.

There are now hundreds of companies trying to build quantum computers using wildly different methods, all geared toward keeping qubits isolated from the environment and under control: superconducting circuits, trapped ions, molecular magnets, carbon nanospheres. While progress on hardware inches forward, computer scientists are refining quantum algorithms, trying to reduce the number of qubits required to run them. Each step brings Q-Day closer.

That’s bad news not just for RSA but also for a dizzying array of other systems that will be vulnerable on Q-Day. Security consultant Roger A. Grimes lists some of them in his book Cryptography Apocalypse: the DSA encryption used by many US government agencies until recently, the elliptic-curve cryptography used to secure cryptocurrencies like Bitcoin and Ethereum, the VPNs that let political activists and porn aficionados browse the web in secrecy, the random number generators that power online casinos, the smartcards that let you tap through locked doors at work, the security on your home Wi-Fi network, the two-factor authentication you use to log in to your email account.

Experts from one national security agency told me they break the resulting threats down into two broad areas: confidentiality and authentication. In other words, keeping secrets and controlling access to critical systems. Chris Demchak, a former US Army officer who is a professor of cybersecurity at the US Naval War College and spoke with me in a personal capacity, says that a Q-Day computer could let an adversary eavesdrop on classified military data in real time. “It would be very bad if they knew exactly where all of our submarines were,” Demchak says. “It would be very bad if they knew exactly what our satellites are looking at. And it would be very bad if they knew exactly how many missiles we had and their range.” The balance of geopolitical power in, say, the Taiwan Strait could quickly tilt.

Beyond that real-time threat to confidentiality, there’s also the prospect of “harvest now, decrypt later” attacks. Hackers aligned with the Chinese state have reportedly been hoovering up encrypted data for years in hopes of one day having a quantum computer that can crack it. “They wolf up everything,” Demchak told me. (The US almost certainly does this too.) The question then becomes: How long will your sensitive data remain valuable? “There might be some needles in that haystack,” says Brian Mullins, the CEO of Mind Foundry, which helps companies implement quantum technology. Your current credit card details might be irrelevant in 10 years, but your fingerprint won’t be. A list of intelligence assets from the end of the Iraq War might seem useless until one of those assets becomes a prominent politician.

The threat to authentication may be even scarier. “Pretty much anything that says a person is who they say they are is underpinned by encryption,” says Deborah Frincke, a computer scientist and national security expert at Sandia National Laboratories. “Some of the most sensitive and valuable infrastructure that we have would be open to somebody coming in and pretending to be the rightful owner and issuing some kind of command: to shut down a network, to influence the energy grid, to create financial disruption by shutting down the stock market.”

Illustration: Nicholas Law

 

The exact level of Q-Day chaos will depend on who has access to the first cryptographically relevant quantum computers. If it’s the United States, there will be a “fierce debate” at the highest levels of government, Demchak believes, over whether to release it for scientific purposes or keep it secret and use it for intelligence. “If a private company gets there first, the US will buy it and the Chinese will try to hack it,” she claims. If it’s one of the US tech companies, the government could put it under the strict export controls that now apply to AI chips.

Most nation-state attacks are on private companies—say, someone trying to break into a defense contractor like Lockheed Martin and steal plans for a next-generation fighter jet. But over time, as quantum computers become more widely available, the focus of the attacks could broaden. The likes of Microsoft and Amazon are already offering researchers access to their primitive quantum devices on the cloud—and big tech companies haven’t always been great at policing who uses their platforms. (The soldier who blew up a Cybertruck outside the Trump International Hotel in Las Vegas early this year queried ChatGPT to help plan the attack.) You could have a bizarre scenario where a cybercriminal uses Amazon’s cloud quantum computing platform to break into Amazon Web Services.

Cybercriminals with access to a quantum computer could use it to go after the same targets more effectively, or take bigger swings: hijacking the SWIFT international payments system to redirect money transfers, or conducting corporate espionage to collect kompromat. The earliest quantum computers probably won’t be able to run Shor’s algorithm that quickly—they might only get one or two keys a day. But combining a quantum computer with an artificial intelligence that can map out an organization’s weakness and highlight which keys to decrypt to cause the most damage could yield devastating results.

And then there’s Bitcoin. The cryptocurrency is exquisitely vulnerable to Q-Day. Because each block in the Bitcoin blockchain captures the data from the previous block, Bitcoin cannot be upgraded to post-quantum cryptography, according to Kapil Dhiman, CEO of Quranium, a post-quantum blockchain security company. “The only solution to that seems to be a hard fork—give birth to a new chain and the old chain dies.”

But that would require a massive organizational effort. First, 51 percent of Bitcoin node operators would have to agree. Then everyone who holds bitcoin would have to manually move their funds from the old chain to the new one (including the elusive Satoshi Nakamoto, the Bitcoin developer who controls wallets containing around $100 billion of the cryptocurrency). If Q-Day happens before the hard fork, there’s nothing to stop bitcoin going to zero. “It’s like a time bomb,” says Dhiman.

That bomb going off will only be the beginning. When Q-Day becomes public knowledge, either via grim governmental address or cheery big-tech press release, the world will enter the post-quantum age. It will be an era defined by mistrust and panic—the end of digital security as we know it. “And then the scramble begins,” says Demchak.

All confidence in the confidentiality of our communications will collapse. Of course, it’s unlikely that everyone’s messages will actually be targeted, but the perception that you could be spied on at any time will change the way we live. And if NIST’s quantum-proof algorithms haven’t rolled out to your devices by that point, you face a real problem—because any attempts to install updates over the cloud will also be suspect. What if that download from Apple isn’t actually from Apple? Can you trust the instructions telling you to transfer your crypto to a new quantum-secure wallet?

Grimes, the author of Cryptography Apocalypse, predicts enormous disruptions. We might have to revert to Cold War methods of transmitting sensitive data. (It’s rumored that after a major hack in 2011, one contractor purportedly asked its staff to stop using email for six weeks.) Fill a hard drive, lock it in a briefcase, put someone you trust on a plane with the payload handcuffed to their wrist. Or use one-time pads—books of pre-agreed codes to encrypt and decrypt messages. Quantum-secure, but not very scalable. Expect major industries—energy, finance, health care, manufacturing, transportation—to slow to a crawl as companies with sensitive data switch to paper-based methods of doing business and scramble to hire expensive cryptography consultants. There will be a spike in inflation. Most people might just accept the inevitable: a post-privacy society in which any expectation of secrecy evaporates unless you’re talking to someone in person in a secluded area with your phones switched off. Big Quantum is Watching You.

The best-case scenario looks something like Y2K, where we have a collective panic, make the necessary upgrades to encryption, and by the time Q-Day rolls around it’s such an anticlimax that it becomes a joke. That outcome may still be possible. Last summer, NIST released its first set of post-quantum encryption standards. One of Joe Biden’s last acts as president was to sign an executive order changing the deadline for government agencies to implement NIST’s algorithms from 2035 to “as soon as practicable.”

Already, NIST’s post-quantum cryptography has been rolled out on messaging platforms such as Signal and iMessage. Sources told me that sensitive national security data is probably being locked up in ways that are quantum-secure. But while your email account can easily be Q-proofed over the internet (assuming the update doesn’t come from a quantum imposter!), other things can’t. Public bodies like the UK’s National Health Service are still using hardware and software from the 1990s. “Microsoft is not going to upgrade some of its oldest operating systems to be post-quantum secure,” says Ali El Kaafarani, the CEO of PQShield, a company that makes quantum-resistant hardware. Updates to physical infrastructure can take decades, and some of that infrastructure has vulnerable cryptography in places it can’t be changed: The energy grid, military hardware, and satellites could all be at risk.

And there’s a balance to be struck. Rushing the transition risks introducing vulnerabilities that weren’t there before. “How do you make transitions slow enough that you can be confident and fast enough that you don’t dawdle?” asks Chris Ballance, CEO of Oxford Ionics, a quantum computing company. Some of those vulnerabilities might even be there by design: Memos leaked by Edward Snowden indicate that the NSA may have inserted a backdoor into a pseudorandom number generator that was adopted by NIST in 2006. “Anytime anybody says you should use this particular algorithm and there’s a nation-state behind it, you’ve got to wonder whether there’s a vested interest,” says Rob Young, director of Lancaster University’s Quantum Technology Centre.

Then again, several people I spoke to pointed out that any nation-state with the financial muscle and technical knowledge to build a quantum device that can run Shor’s algorithm could just as easily compromise the financial system, the energy grid, or an enemy’s security apparatus through conventional methods. Why invent a new computing paradigm when you can just bribe a janitor?

Long before quantum technology is good enough to break encryption, it will be commercially and scientifically useful enough to tilt the global balance. As researchers solve the engineering challenge of isolating qubits from the environment, they’ll develop exquisitely sensitive quantum sensors that will be able to unmask stealth ships and map hidden bunkers, or give us new insight into the human body. Similarly, pharma companies of the future could use quantum to steal a rival’s inventions—or use it to dream up even better ones. So ultimately the best way to stave off Q-Day may be to share those benefits around: Take the better batteries, the miracle drugs, the far-sighted climate forecasting, and use them to build a quantum utopia of new materials and better lives for everyone. Or—let the scramble begin.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend  

The move prevents unencrypted API requests from being sent, even accidentally, to eliminate the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP conection and redirects to a secure communication channel.

“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected,” reads Cloudflare’s announcement on Thursday.

“Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established” - the internet services company added.

The Cloudflare API helps developers and system administrators to automate and manage Cloudflare services. It is used for DNS records management, firewall configuration, DDoS protection, caching, SSL settings, infrastructure deployment, accessing analytics data, and managing zero-trust access and security policies.

Previously, Cloudflare systems allowed API access over both HTTP (unencrypted) and HTTPS (encrypted), either by redirecting or rejecting HTTP.

However, as the company explains, even rejected HTTP requests may leak sensitive data like API keys or tokens before the server responds.

Such a sceario is more dangerous when the connection is over public or shared Wi-Fi networks where adversary-in-the-middle attacks are easier to pull off.

By disabling HTTP ports entirely for API access, Cloudflare blocks plaintext connections at the transport layer before any data is exchanged, enforcing HTTPS from the start.

Impact and next steps

The change immediately affects anyone using HTTP on the Cloudflare API service. Scripts, bots, and tools relying on the protocol will break.

The same applies to legacy systems and automated clients, IoT devices, and low-level clients that don’t support or don’t default to HTTPS due to improper configuration.

For customers with websites on Cloudflare, the company prepares to release a free option towards the end of the year that will disable HTTP traffic in a safe way.

Cloudflare data indicates that a small but significant percentage of roughly 2.4% of all internet passing through its systems is still done over the insecure HTTP protocol. When automated traffic is taken into account, the HTTP share jumps to nearly 17%.

Customers can track HTTP vs HTTPS traffic on their dashboard under Analytics & Logs > Traffic Served Over SSL before opting in, to estimate the impact it will have on their environment.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend