Google Chrome to let Isolated Web App access sensitive USB devices

Google is working on a new Unrestricted WebUSB feature, which allows trusted isolated web apps to bypass security restrictions in the WebUSB API. WebUSB is a JavaScript API that allows web applications to access local USB devices on a computer.
As part of the WebUSB specification, there are certain interface classes that are protected from being accessed via web applications to prevent malicious scripts from accessing potentially sensitive data.
The list of protected interface classes are audio, HID, mass storage, smart card, video, audio/video Devices, and wireless controller.
The WebUSB specification includes a block list of specific USB devices that cannot be accessed by the API, such as YubiKeys, Google Titan keys, and Feitian security keys, which are used for multi-factor authentication.
Isolated web apps are applications not hosted on live web servers but packaged into Web Bundles, signed by their developer, and distributed to end-users.
They are commonly created for companies to use in-house.
When an app with this permission attempts to access a USB device, the system first checks if it is on the blocklist of vulnerable devices.
If it is, the device is normally removed from the access list.
The system also checks whether the device is on the app's list of allowed devices.
The system will check if the accessed interface is marked as protected.
Google's proposed feature enables trusted isolated web apps to access a broader range of USB devices, allowing for greater functionality in a trusted setting.
Google says it plans to ship it for testing in Chome 128, which should be released in August 2024.
Chrome for Android tests feature that securely verifies your ID with sites.
Google Chrome reduced cookie requests to improve performance.
Google Chrome change that weakens ad blockers begins June 3rd. Google rolls out Chrome fix for empty pages when switching tabs.
Google fixes fifth Chrome zero-day exploited in attacks this year.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 30 Jun 2024 21:20:21 +0000

Cyber News related to Google Chrome to let Isolated Web App access sensitive USB devices

Google Chrome to let Isolated Web App access sensitive USB devices - Google is working on a new Unrestricted WebUSB feature, which allows trusted isolated web apps to bypass security restrictions in the WebUSB API. WebUSB is a JavaScript API that allows web applications to access local USB devices on a computer. As ...
11 months ago Bleepingcomputer.com

CVE-2023-52528 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago

The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
8 months ago Aws.amazon.com

CVE-2024-56769 - In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in ...
5 months ago Tenable.com

CVE-2024-41097 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago

Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
1 year ago Techrepublic.com

CVE-2023-52742 - In the Linux kernel, the following vulnerability has been resolved: net: USB: Fix wrong-direction WARNING in plusb.c The syzbot fuzzer detected a bug in the plusb network driver: A zero-length control-OUT transfer was treated as a read instead of a ...
1 year ago Tenable.com

Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
1 year ago Darkreading.com CVE-2024-0519 CVE-2024-0517 CVE-2024-0518 Hunters

Google Patches Another Chrome Zero-Day as Browser Attacks Mount - For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it. Integer Overflow Bug The latest zero-day, which Google is tracking ...
1 year ago Darkreading.com CVE-2023-6345 CVE-2023-4863 CVE-2023-5217 CVE-2023-28205 CVE-2023-32409 CVE-2023-28204 CVE-2023-32373

Google Chrome's new "IP Protection" will hide users' IP addresses - Google is getting ready to test a new "IP Protection" feature for the Chrome browser that enhances users' privacy by masking their IP addresses using proxy servers. Recognizing the potential misuse of IP addresses for covert tracking, Google seeks to ...
1 year ago Bleepingcomputer.com

Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
1 year ago Cysecurity.news

Google: Malware abusing API is standard token theft, not an API issue - Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired. In late November 2023, BleepingComputer reported on two information-stealing malware ...
1 year ago Bleepingcomputer.com

Google Online Security Blog: Sustaining Digital Certificate Security - The Chrome Security Team prioritizes the security and privacy of Chrome's users, and we are unwilling to compromise on these values. The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to ...
11 months ago Security.googleblog.com

Google promises a rescue patch for Android 14's "ransomware" bug - So Android 14 has this pretty horrible storage bug for upgrading users. Bugs are always going to happen, but the big problem with this is that Google has seemingly been ignoring it, and on Friday we wrote about how users have been piling up hundreds ...
1 year ago Arstechnica.com

20 Best Remote Monitoring Tools - 2025 - What is Good ?What Could Be Better ?Strong abilities to keep an eye on devices and systems.Some parts may take time to figure out.It gives you tools for remote control and troubleshooting.There could be more ways to change things.Lets you automate ...
2 months ago Cybersecuritynews.com

New TetrisPhantom hackers steal data from secure USB drives on govt systems - A new sophisticated threat tracked as 'TetrisPhantom' has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely ...
1 year ago Bleepingcomputer.com Ragnar Locker

CVE-2025-21916 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago

Avast confirms it tagged Google app as malware on Android phones - Czech cybersecurity company Avast confirmed that its antivirus SDK has been flagging a Google Android app as malware on Huawei, Vivo, and Honor smartphones since Saturday. On affected devices, users were warned to immediately uninstall the Google app ...
1 year ago Bleepingcomputer.com Rocke

Check if you're in Google Chrome's third-party cookie phaseout test - Google has started testing the phasing out of third-party cookies on Chrome, affecting about 1% of its users or approximately 30 million people. Learn how to check if you are part of the initial test. Third-party cookies, which track users' browsing ...
1 year ago Bleepingcomputer.com

Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
1 year ago Go.theregister.com

CVE-2025-29154 - HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the .galera.app/ted/solicitacao_treinamento/, .galera.app/rh/metas/perspectiva_estrategica/edicao/, ...
1 month ago

Google paid $10 million in bug bounty rewards last year - Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid ...
1 year ago Bleepingcomputer.com Hunters

BadBox malware disrupted on 500K infected Android devices - The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. HUMAN says it also discovered 24 Android apps in the official app store, ...
3 months ago Bleepingcomputer.com

Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
1 year ago Bleepingcomputer.com