Tag: Google Online Security Blog

Posted by Eugene Liderman and Roger Piqueras Jover SMS texting is frozen in time. People still use and rely on trillions of SMS texts each year to exchange messages with friends, share family photos, and copy two-factor authentication codes to…

Read more →

Posted by Martin Geisler, Android team Android 14 is the third major Android release with Rust support. We are already seeing a number of benefits: Productivity: Developers quickly feel productive writing Rust. They report important indicators of development velocity, such…

Read more →

Jess McClintock and John Dethridge, Google Open Source Security Team, and Damien Miller, Enterprise Infrastructure Protection Team When you import a third party library, do you review every line of code? Most software packages depend on external libraries, trusting that…

Read more →

Posted by Jon Bottarini and Hamzeh Zawawy, Android Security Fuzzing is an effective technique for finding software vulnerabilities. Over the past few years Android has been focused on improving the effectiveness, scope, and convenience of fuzzing across the organization. This…

Read more →

Dongge Liu, Jonathan Metzman, Oliver Chang, Google Open Source Security Team  Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so…

Read more →

Dongge Liu, Jonathan Metzman, Oliver Chang, Google Open Source Security Team  Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so…

Read more →

Elie Bursztein, cybersecurity and AI research director, Fabian Kaczmarczyck, software engineer As part of our effort to deploy quantum resistant cryptography, we are happy to announce the release of the first quantum resilient FIDO2 security key implementation as part of…

Read more →

Posted by David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez, Chrome Security Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms. But what is key pinning…

Read more →

Posted by Amy Ressler, Chrome Security Team To get security fixes to you faster, starting now in Chrome 116, Chrome is shipping weekly Stable channel updates. Chrome ships a new milestone release every four weeks. In between those major releases,…

Read more →

Posted by Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle Android is the first mobile operating system to introduce advanced cellular security mitigations for both consumers and enterprises. Android 14 introduces support for IT administrators to disable 2G support in…

Read more →

Tavis Ormandy, Software Engineer and Daniel Moghimi, Senior Research Scientist Finding and mitigating security vulnerabilities is critical to keeping Internet users safe.  However, the more complex a system becomes, the harder it is to secure—and that is also the case…

Read more →

Jay Hou, Software Engineer, TrustFabric (transparency.dev)  Pixel Binary Transparency With Android powering billions of devices, we’ve long put security first. There’s the more visible security features you might interact with regularly, like spam and phishing protection, as well as less…

Read more →

Maddie Stone, Security Researcher, Threat Analysis Group (TAG) This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019

Read more →

Maddie Stone, Security Researcher, Threat Analysis Group (TAG) This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual…

Read more →

Julie Qiu, Go Security & Reliability and Jonathan Metzman, Google Open Source Security Team Previously in our Supply chain security for Go series, we covered dependency and vulnerability management tools and how Go ensures package integrity and availability as part…

Read more →

Posted by Alex Gough, Chrome Security Team Security reviewers must develop the confidence and skills to make fast, difficult decisions. A simplistic piece of advice to reviewers is “just be confident” but in reality that takes practice and experience. Confidence…

Read more →

Posted by Giles Hogben, Privacy Engineering Director Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform. This is why Google is strongly supportive of…

Read more →

Nicolas Lidzborski, Principal Engineer and Jaishankar Sundararaman, Sr. Director of Engineering, Google Workspace In February, we expanded Google Workspace client-side encryption (CSE) capabilities to include Gmail and Calendar in addition to Drive, Docs, Slides, Sheets

Read more →

Nicolas Lidzborski, Principal Engineer and Jaishankar Sundararaman, Sr. Director of Engineering, Google Workspace In February, we expanded Google Workspace client-side encryption (CSE) capabilities to include Gmail and Calendar in addition to Drive, Docs, Slides, Sheets

Read more →

Julie Qiu, Go Security & Reliability, and Roger Ng, Google Open Source Security Team “Secure your dependencies”—it’s the new supply chain mantra. With attacks targeting software supply chains sharply rising, open source developers need to monitor and judge the risks…

Read more →

Anthony Weems, Information Security Engineer 2022 was a successful year for Google’s Vulnerability Reward Programs (VRPs), with over 2,900 security issues identified and fixed, and over $12 million in bounty rewards awarded to researchers. A significant amount of these vulnerability…

Read more →

Posted by Anuj Goyal, Product Manager, Chrome Browser Browser extensions, while offering valuable functionalities, can seem risky to organizations. One major concern is the potential for security vulnerabilities. Poorly designed or malicious extensions could compromise data integrity and expose sensitive…

Read more →

Asra Ali, Razieh Behjati, Tiziano Santoro, Software Engineers Every day, personal data, such as location information, images, or text queries are passed between your device and remote, cloud-based services. Your data is encrypted when in transit and at rest, but…

Read more →

Tamás Koczka, Security Engineer In 2020, we integrated kCTF into Google’s Vulnerability Rewards Program (VRP) to support researchers evaluating the security of Google Kubernetes Engine (GKE) and the underlying Linux kernel. As the Linux kernel is a key component not…

Read more →

Amy Ressler, Chrome Security Team on behalf of the Chrome VRP For 13 years, a key pillar of the Chrome Security ecosystem has included encouraging security researchers to find security vulnerabilities in Chrome browser and report them to us, through…

Read more →

Posted by Ashish Pujari, Chrome Security Team Introduction Chrome is trusted by millions of business users as a secure enterprise browser. Organizations can use Chrome Browser Cloud Management to help manage Chrome browsers more effectively. As an admin, they can…

Read more →

Vincent Winstead, Technical Program Manager It’s Google CTF time! Get your hacking toolbox ready and prepare your caffeine for rapid intake. The competition kicks off on June 23 2023 6:00 PM UTC and runs through June 25 2023 6:00 PM…

Read more →

David Kluge, Technical Program Manager, and Andy Warner, Product Manager Nobody likes preventable site errors, but they happen disappointingly often.  The last thing you want your customers to see is a dreaded ‘Your connection is not private’ error instead of…

Read more →

Brandon Lum and Mihai Maruseac, Google Open Source Security Team Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the…

Read more →

Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for securing connections to websites. The Chrome Root Program was announced in September 2022. If you missed it,…

Read more →

Posted by Sarah Jacobus, Vulnerability Rewards Team As technology continues to advance, so do efforts by cybercriminals who look to exploit vulnerabilities in software and devices. This is why at Google and Android, security is a top priority, and we…

Read more →

Dongge Liu, Jonathan Metzman and Oliver Chang, Google Open Source Security Team Google’s Open Source Security Team recently sponsored a fuzzing competition as part of ISCE’s Search-Based and Fuzz Testing (SBFT) Workshop. Our goal was to encourage the development of…

Read more →

Juan José López Jaimez, Security Researcher and Meador Inge, Security Engineer Today, we are announcing Buzzer, a new eBPF Fuzzing framework that aims to help hardening the Linux Kernel. What is eBPF and how does it verify safety? eBPF is…

Read more →

Posted by Ronnie Falcon, Product Manager Android is built with multiple layers of security and privacy protections to help keep you, your devices, and your data safe. Most importantly, we are committed to transparency, so you can see your device…

Read more →

Appu Goundan, Google Open Source Security Team Today, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it simpler and more secure to build container images with Bazel. This effort was a…

Read more →

Silvia Convento, Senior UX Researcher and Court Jacinic, Senior UX Content Designer In recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys.  Passkeys are a

Read more →

By: Arnar Birgisson and Diana K Smetters, Identity Ecosystems and Google Account Security and Safety teams Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or…

Read more →

Companies welcome input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking Location-tracking devices help users find personal items like their keys, purse, luggage, and more through crowdsourced finding…

Read more →

Posted by Rae Wang, Director of Product Management (Android Security and Privacy Team) Unlike other mobile OSes, Android is built with a transparent, open-source architecture. We firmly believe that our users and the mobile ecosystem at-large should be able to…

Read more →

Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety) Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions…

Read more →

Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version…

Read more →

Christiaan Brand, Group Product Manager

Read more →

Posted by David Dworken, Information Security Engineer, Google Security Team Many web applications need to display user-controlled content. This can be as simple as serving user-uploaded images (e.g. profile photos), or as complex as rendering user-controlled HTML (e.g. a web…

Read more →

Posted by Julie Qiu, Go Security & Reliability and Oliver Chang, Google Open Source Security Team High profile open source vulnerabilities have made it clear that securing the supply chains underpinning modern software is an urgent, yet enormous, undertaking. As…

Read more →

Posted by Jesper Sarnesjo and Nicky Ringland, Google Open Source Security Team Today, we are excited to announce the deps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health…

Read more →

Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The…

Read more →

Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation’s Cybersecurity requirements for vulnerability disclosure programs and assurances…

Read more →

Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google Domains We’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able…

Read more →

Posted by Kiran Nair, Product Manager, Chrome Browser Your journey towards keeping your Google Workspace users and data safe, starts with bringing your Chrome browsers under Cloud Management at no additional cost. Chrome Browser Cloud Management is a single destination…

Read more →

Posted by Michael Spaulding, Senior Product Manager, Ad Traffic Quality Connected TV (CTV) has not only transformed the entertainment world, it has also created a vibrant new platform for digital advertising. However, as with any innovative space, there are challenges…

Read more →

Posted by Eugene Liderman, Director of Mobile Security Strategy, Google As Mobile World Congress approaches, we have the opportunity to have deep and meaningful conversations across the industry about the present and future of connected device security. Ahead of the…

Read more →

Posted by Sarah Jacobus, Vulnerability Rewards Team It has been another incredible year for the Vulnerability Reward Programs (VRPs) at Google! Working with security researchers throughout 2022, we have been able to identify and fix over 2,900 security issues and…

Read more →

Posted by Roger Piqueras Jover, Ivan Lozano, Sudhi Herle, and Stephan Somogyi, Android Team A modern Android powered smartphone is a complex hardware device: Android OS runs on a multi-core CPU – also called an Application Processor (AP). And the…

Read more →

Posted by Kent Walker, President, Global Affairs & Chief Legal Officer, Google & Alphabet and Royal Hansen, Vice President of Engineering for Privacy, Safety, and Security Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly,…

Read more →

Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…

Read more →

Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…

Read more →

Posted by Chrome Root Program, Chrome Security Team Note: This post is a follow-up to discussions carried out on the Mozilla “Dev Security Policy” Web PKI public discussion forum Google Group in December 2022. Google Chrome communicated its distrust of…

Read more →

Posted by Dana Jansens (she/her), Chrome Security Team We are pleased to announce that moving forward, the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium. To do so, we are now actively…

Read more →

Posted by Benjamin Ackerman, Chrome Security and Jonathan Li, Safe Browsing As a follow-up to a previous blog post about How Hash-Based Safe Browsing Works in Google Chrome, we wanted to provide more details about Safe Browsing’s Enhanced Protection mode…

Read more →

Posted by Dave Kleidermacher, Dianne Hackborn, and Eugenio Marchiori We care deeply about privacy. We also know that trust is built by transparency. This blog, and the technical paper reference within, is an example of that commitment: we describe an…

Read more →

Posted by Benjamin Ackerman (Chrome Security and Jonathan Li (Safe Browsing) As a follow-up to a previous blog post about How Hash-Based Safe Browsing Works in Google Chrome, we wanted to provide more details about Safe Browsing’s Enhanced Protection mode…

Read more →

Posted by Tom Hennen, Software Engineer, BCID & GOSST  One of the great benefits of SLSA (Supply-chain Levels for Software Artifacts) is its flexibility. As an open source framework designed to improve the integrity of software packages and infrastructure, it…

Read more →

Posted by Caleb Brown, Open Source Security Team  Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike…

Read more →

Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulnerabilities across products, and across the industry. On Android, we’re now seeing something different – a significant drop in memory…

Read more →

Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team Memory safety bugs are the most numerous category of Chrome security issues and we’re continuing to investigate many solutions – both in C++ and in…

Read more →

Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz—our community fuzzing service that regularly checks 700 critical open source projects for bugs—detected a serious vulnerability (CVE-2022-3008): a bug in the TinyGLTF project that…

Read more →

Posted by Francis Perron, Open Source Security Technical Program Manager Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such…

Read more →

Posted by Pedro Barbosa, Security Engineer, and Daniel Bleichenbacher, Software Engineer Paranoid is a project to detect well-known weaknesses in large amounts of crypto artifacts, like public keys and digital signatures. On August 3rd 2022 we open sourced the library containing…

Read more →

Posted by Eduardo Vela, Exploit Critic Cover of the medieval cookbook. Title in large letters kernel Exploits. Adorned. Featuring a small penguin. 15th century. Color. High quality picture. Private collection. Detailed. The Linux kernel is a key component for the…

Read more →

By Rohit Bhatia, Mollie Bates, Google Chrome Security There are various threats a user faces when browsing the web. Users may be tricked into sharing sensitive information like their passwords with a misleading or fake website, also called phishing. They…

Read more →

Posted by Matthew Mauer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. In addition to existing support for DNS-over-TLS, Android now supports DNS-over-HTTP/3 which has a number of improvements over DNS-over-TLS.…

Read more →

Posted by Shane Huntley, Director, Threat Analysis Group This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 2022. It was last updated on June 30, 2022. May We terminated 20 YouTube channels as part of our investigation…

Read more →

Posted by Jan Keller, Technical Entertainment Manager, Bug Hunters  Are you ready to put your hacking skills to the test? It’s Google CTF time! The competition kicks off on July 1 2022 6:00 PM UTC and runs through July 3…

Read more →

This article has been indexed from Google Online Security Blog Posted by Brandon Lum and Oliver Chang, Google Open Source Security Team The past year has seen an industry-wide effort to embrace Software Bills of Materials (SBOMs)—a list of all…

Read more →

This article has been indexed from Google Online Security Blog Posted by Harshvardhan Sharma, Information Security Engineer, Google 2021 was another record-breaking year for our Vulnerability Rewards Program (VRP). We paid a total of $8.7 million in rewards, our highest amount…

Read more →

This article has been indexed from Google Online Security Blog Posted by Anton Bikineev, Michael Lippautz and Hannes Payer, Chrome security team Memory safety in Chrome is an ever-ongoing effort to protect our users. We are constantly experimenting with different…

Read more →

This article has been indexed from Google Online Security Blog Posted by GKE and Anthos Platform Security Teams  At the KubeCon EU 2022 conference in Valencia, security researchers from Palo Alto Networks presented research findings on “trampoline pods”—pods with an…

Read more →

This article has been indexed from Google Online Security Blog Posted by Eugene Liderman and Sara N-Marandi, Android Security and Privacy Team Every year at I/O we share the latest on privacy and security features on Android. But we know…

Read more →

This article has been indexed from Google Online Security Blog Posted by Eugene Liderman and Sara N-Marandi, Android Security and Privacy Team Every year at I/O we share the latest on privacy and security features on Android. But we know…

Read more →

This article has been indexed from Google Online Security Blog Posted by Daniel Margolis, Senior Software Engineer, Google Account Security Team  Every year, security technologies improve: browsers get better, encryption becomes ubiquitous on the Web, authentication becomes stronger. But phishing…

Read more →

This article has been indexed from Google Online Security Blog Posted by Caleb Brown, Open Source Security Team  Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages…

Read more →

This article has been indexed from Google Online Security Blog Posted by Steve Kafka and Khawaja Shams, Android Security and Privacy Team Providing a safe experience to billions of users continues to be one of the highest priorities for Google…

Read more →

This article has been indexed from Google Online Security Blog Posted by Medha Jain, Program Manager, Devices & Services Security  At Google, we constantly invest in security research to raise the bar for our devices, keeping our users safe and…

Read more →

This article has been indexed from Google Online Security Blog Posted by Adrian Taylor, Chrome Security Team If you are a regular reader of our Chrome release blog, you may have noticed that phrases like ‘exploit for CVE-1234-567 exists in…

Read more →

This article has been indexed from Google Online Security Blog Posted by Adrian Taylor, Chrome Security Team If you are a regular reader of our Chrome release blog, you may have noticed that phrases like ‘exploit for CVE-1234-567 exists in…

Read more →

This article has been indexed from Google Online Security Blog Posted by Ard Biesheuvel, Google Open Source Security Team Linux kernel support for the 32-bit ARM architecture was contributed in the late 90s, when there was little corporate involvement in Linux…

Read more →

This article has been indexed from Google Online Security Blog Posted by Sarah Jacobus, Vulnerability Rewards Team  Last year was another record setter for our Vulnerability Reward Programs (VRPs). Throughout 2021, we partnered with the security researcher community to identify…

Read more →

This article has been indexed from Google Online Security Blog Posted by Laurent Simon and Azeem Shaikh, Google Open Source Security Team (GOSST)  Since our July announcement of Scorecards V2, the Scorecards project—an automated security tool to flag risky supply chain…

Read more →