Google has stepped in to address a security flaw that could have made it possible to brute-force an account's recovery phone number, potentially exposing them to privacy and security risks.
The issue, according to Singaporean security researcher "brutecat," leverages an issue in the company's account recovery feature.
That said, exploiting the vulnerability hinges on several moving parts,

Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account

Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.

A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.

The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples’ personal information.

“I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,” the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts.

In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account.

“Essentially, it's bruting the number,” brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they’re after. Typically that’s in the context of finding someone’s password, but here brutecat is doing something similar to determine a Google user’s phone number.

Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said.

In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target’s Google display name. They find this by first transferring ownership of a document from Google’s Looker Studio product to the target, the video says. They say they modified the document’s name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.

“The victim isn’t notified at all :)” a caption in the video reads.

A Google spokesperson told 404 Media in a statement “This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe.

Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim’s valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts.

On its website, the FBI recommends people do not publicly advertise their phone number for this reason. “Protect your personal and financial information. Don’t advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,” the site reads.

In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat’s write-up.

A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account

You don’t need a rogue employee to suffer a breach.
All it takes is a free trial that someone forgot to cancel. An AI-powered note-taker quietly syncing with your Google Drive. A personal Gmail account tied to a business-critical tool. That’s shadow IT. And today, it’s not just about unsanctioned apps, but also dormant accounts, unmanaged identities, over-permissioned SaaS

Think Your IdP or CASB Covers Shadow IT? These 5 Risks Prove Otherwise

It seems not a day goes by without news of another crypto scam targeting unsuspecting holders. Those owning…

It seems not a day goes by without news of another crypto scam targeting unsuspecting holders. Those owning popular cryptocurrencies like Bitcoin (BTC) and Litecoin (LTC) are also exposed to cyberattacks.

While Bitcoin is often referred to as the gold of crypto, Litecoin is considered its silver, valued for speed, lower fees, and practical use. But, in the end, both are targets of scams including phishing and malware attacks. In this article, we are discussing security for LTC wallets and protecting yourself from scams that have become nothing but sophisticated.

****Spotting Common Litecoin Scams****

Knowledge is your first line of protection against crypto fraud types because scammers aren’t getting any less creative. They exploit both the need for urgency in humans and security vulnerabilities in systems to separate you from your funds. Knowing how these scams work makes it easier to spot them, especially social engineering tricks common in crypto. The key rule is don’t just trust; verify. It’s one of the best ways to protect your Litecoin.

****Phishing and Malicious Links****

The most common type of crypto scam there is? Phishing attacks masquerading as legitimate emails, social media messages, or fake Litecoin websites. Scammers create spoofing attacks that look identical to trusted platforms, using subtle URL misspellings or deceptive subdomains to fool even careful users.

How to recognize phishing?

*   A link may look like a legitimate site but have a slightly different URL

*   The website requests sensitive data like private keys or seed phrases

How not to fall for email phishing crypto scams?

*   Double- and triple-check URLs before clicking anything

*   Remember: legitimate services never request your private keys or seed phrases

*   Open websites directly from bookmarks rather than clicking malicious links

****Fake Giveaways, Investment Scams, and Impersonation****

Scammers love exploiting Fear of Missing Out (FoMO) with Litecoin giveaway scams and crypto investment fraud. The classic “send LTC to receive more” scheme never gets old. Imposter scams often involve celebrities (from Charlie Lee to Elon Musk), exchanges, or support staff sliding into your DMs with unsolicited offers.

How to recognize these social media crypto scams?

*   You’re being asked to send crypto to “verify” your wallet

*   The persuasion comes from someone masquerading as a trusted party

*   Fake customer service accounts demand remote access or sensitive information

How to not fall for these schemes?

*   If an offer seems too good to be true, it probably is

*   Verify identities directly through official channels, not DMs

*   Take responsibility for your own choices, when things get sketchy, dip out

****Malware and Malicious Software****

Crypto malware are sophisticated that can steal your funds through keystroke logging, clipboard hijacking, or directly accessing wallet files. The worst part? They’re often disguised as legitimate wallet software, browser extensions, or crypto tools.

How to avoid wallet draining software?

*   Be extra cautious with unofficial apps or browser extensions

*   Only download from official sources and verify file authenticity

*   Keep an escape plan in mind if something feels off about new software

Even an apparently harmless download can contain a script that hijacks your transactions or drains your account entirely.

****What Can You Do to Safeguard Your LTC?****

Getting Litecoin is simple enough with a trustworthy provider such as ChangeHero, which has been around since 2017 and now supports 200+ coins and tokens in addition to Litecoin. With their crypto exchange with the lowest fees, getting your own LTC securely is easier than a walk in the park. Securing it, though, is a tad more complicated.

Protecting your Litecoin requires more than wishful thinking; you need battle-tested crypto protection tips that work. The best defence? Proactive measures rooted in solid Litecoin security best practices. This section arms you with actionable strategies to prevent crypto fraud, from hardware wallets to from hardware wallets to thinking critically online. Your online security is up to you, stay prepared and protect yourself from whatever scammers try next.

****Hardware Wallets and Authentication****

If you take your Litecoin holdings seriously, cold storage crypto through a hardware wallet is a must. Devices like Ledger and Trezor keep your private keys offline and away from internet vulnerabilities, making it nearly impossible for hackers to reach your funds remotely. And, it shouldn’t end with a hardware wallet. Strengthen your Litecoin security by using solid authentication methods:

*   **Strong, unique passwords**: Never reuse passwords across platforms. Each crypto-related account should have its own unique password.

*   **Enable 2FA crypto the right way**: Use authenticator apps like Google Authenticator or physical keys like YubiKey. SMS-based 2FA? Skip it: SIM-swapping attacks make it vulnerable.

*   **Secure your backup seeds**: Store them offline, never digitally. A piece of paper in a safe beats a screenshot on your phone every time.

****Keeping Software Updated****

Stay up to date with crypto security updates. Running outdated software increases the risk of attacks. Make sure your operating system, browser, and antivirus tools are regularly updated to patch known security issues.

Staying updated on software is just one part of the equation. Cybersecurity training and education against scams are keys to staying protected against new threats. Follow credible crypto news sources and security professionals, but always verify the information. Avoid click-driven content and cross-check facts before acting.

****What If It’s Too Late?****

Think you’ve been targeted by Litecoin fraud or a crypto hack? Time is critical. Acting quickly can help reduce the damage. The first rule is to stop all communication with the scammer immediately. Don’t engage, don’t negotiate, don’t try to outsmart them! Just cut contact to prevent further exposure.

Start by changing the passwords on all affected accounts, making sure each one is strong and unique. If your wallet has been compromised, transfer your funds to a new, secure wallet, preferably a hardware wallet.

Additionally, disconnect any devices you think may be infected to stop further malicious activity. Time is critical in these situations. The faster you respond, the better your chances of protecting what’s left and blocking further access.

****Report and Document****

Document everything, and we mean everything. Screenshots, transaction IDs, emails, messages, phone numbers, website URLs. This crypto scam evidence isn’t just for your records; it’s ammunition for investigators trying to track down these scammers.

Where to report crypto fraud:

*   Your exchange’s security team (they need to know ASAP)

*   Local police and national cybercrime units like the FBI’s IC3

*   Cybersecurity organizations for broader community awareness

The crypto space offers real opportunities, but when it comes to Litecoin security, it’s your responsibility, no one else’s. Protecting your digital assets is up to you. By staying alert, using hardware wallets, and keeping your knowledge up to date, you make it harder for scammers to succeed.

(Image by Eivind Pedersen from Pixabay)

Litecoin Security: How to Spot, Avoid, and Recover from Crypto Scams

A list of topics we covered in the week of June 1 to June 7 of 2025

June 6, 2025 - How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

June 6, 2025 - Cybercriminals are abusing the hospitality industry and its booking platforms to defraud the travelers that visit them

June 5, 2025 - Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

June 4, 2025 - Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

June 3, 2025 - As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.

 A week in security (June 1 &#8211; June 7) 

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing).

According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.

****How the Scam Works****

UNC6040 doesn’t rely on exploits or security vulnerabilities. Instead, it counts on human error. The attackers call employees and walk them through approving a connected app inside Salesforce. But this isn’t just any app, it’s often a modified version of Salesforce’s legitimate Data Loader tool.

With this access, attackers can query and extract vast amounts of data from the targeted organization. In some cases, they disguise the tool as “My Ticket Portal,” a name aligned with the IT support theme of the scam.

Once access is granted, UNC6040 pulls data in stages. Sometimes, they start small to avoid detection, using test queries and limited batch sizes. If the initial probing goes unnoticed, they scale up the operation and begin large-volume exfiltration.

****Extortion Comes Later****

Interestingly, data theft doesn’t always lead to immediate demands. In several incidents, months passed before victims received extortion messages. During those messages, attackers claimed to be associated with the well-known hacking group ShinyHunters, a move likely aimed at increasing pressure on victims to pay up.

This delayed approach hints that UNC6040 might be working with other actors who specialize in monetizing stolen data. Whether they’re selling access or handing off the data for follow-up attacks, the long pause makes incident detection and response more complicated for security teams.

While the primary target is Salesforce, the group’s ambitions don’t end there. Once they gain credentials, UNC6040 has been observed moving laterally through corporate systems, targeting platforms like Okta and Microsoft 365. This broader access allows them to collect additional valuable data, deepen their presence, and build leverage for future extortion attempts.

Attack flow (Google)

****Protecting Against These Attacks****

GTIG advises taking a few clear steps to make these types of breaches less likely. First, limit who has access to powerful tools like Data Loader, only users who genuinely need it should have permissions, and those should be reviewed regularly. It’s also important to manage which connected apps can access your Salesforce setup; any new app should go through a formal approval process.

To prevent unauthorized access, especially from attackers using VPNs, logins and app authorizations should be restricted to trusted IP ranges. Monitoring is another key piece, platforms like Salesforce Shield can flag and react to large-scale data exports in real time. While multi-factor authentication (MFA) isn’t perfect, it still plays a major role in protecting accounts, especially when users are trained to spot tricks like phishing calls that try to get around it.

Hackers Using Fake IT Support Calls to Breach Corporate Systems, Google

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.

These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

****How the Scam Works****

According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity (Credit: Cyble)

In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.

The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:

*   bullxnisbs
*   hyperliqwsbs
*   raydifloydcz
*   sushijamessbs
*   pancakefentfloydcz

These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:

1.  Raydium
2.  SushiSwap
3.  Suiet Wallet
4.  Hyperliquid
5.  BullX Crypto
6.  Pancake Swap
7.  Meteora Exchange
8.  OpenOcean Exchange
9.  Harvest Finance Blog

Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.

This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.

This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:

Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.

*   Avoid downloading and installing unnecessary apps.

*   Enable Google Play Protect to help identify potentially harmful apps.

*   Use biometric security and two-factor authentication where available.

*   Always watch out while downloading apps from third-party as well as official stores.

*   Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

Since it’s already chaos out there, this week, we thought we’d lean into the madness by envisioning the future threats that you’re not ready for. From cyberattacks on the US grid to GPS blackouts, rampant deepfake scams, AI-powered super hackers, and widespread communication system collapse, there’s a whole spectrum of scenarios that could take things from bad to worse.

All is not lost, however—at least if you’re Ross Ulbricht. The creator of the Silk Road dark web market, who was pardoned by President Donald Trump earlier this year, received a mysterious $31 million bitcoin donation last weekend. Crypto-tracing firm Chainalysis now suspects the lavish gift may have come from a vendor at another now-defunct black market, AlphaBay.

A trove of public records reviewed by WIRED this week reveal a years-long effort by a farming industry group to get the FBI to treat animal rights activists as a “bioterrorist” threat. The Animal Agriculture Alliance (AAA) was repeatedly in contact with the bureau’s Weapons of Mass Destruction Directorate about the activities of groups like Direct Action Everywhere, or DxE. The records show that AAA fed intelligence about DxE to the FBI and used corporate spies to infiltrate the group’s activities.

Immigration and Customs Enforcement recently updated its guidance for agents who carry out courthouse raids and other “enforcement actions” in and nearby court houses, according to an agency document reviewed by WIRED. The updated policy removes language that explicitly instructed agents to ensure they followed local and state laws.

Anyone who was trying to play a new video game on Christmas Day in 2014 likely remembers the infamous Lizardsquad hack of Xbox Live and Playstation Network. Now, more than a decade later, we finally have the full story.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Mysterious iPhone Crashes Hint at a Chinese Hacks. Apple Denies It**

The security firm iVerify this week brought to light a series of suspicious iPhone crashes that researchers say might just indicate a stealthy, unprecedented Chinese zero-click hacking campaign victimizing American phones, including even those of staffers for the Harris-Walz presidential campaign. Or it’s a random, not-particularly-dangerous bug that Apple has already squashed.

In a report released Thursday, iVerify assessed with “moderate confidence” that China-linked hackers may have targeted a series of iPhones with a sophisticated exploit, going after activists and dissidents critical of China, an EU government official, tech executives at AI firms competing with Chinese ones, and US political staffers—revealed by NBC News to be employees of the Harris-Walz campaign. iVerify didn’t have a sample of the malware that might have infected those phones or other definitive proof that any hacking occurred. But it pointed to signs that seem like more than coincidences: The staffers whose phones had experienced the crashes had also been warned by the FBI that they’d already been targeted in China’s Salt Typhoon hacking campaign against US telecoms. Another owner of the devices that crashed in the same way was later warned by Apple itself that he or she had been targeted by sophisticated hackers.

All of that would represent a serious threat to national security. Except that, strangely, Apple flatly denies it happened. “We strongly disagree with the claims of a targeted attack against our users,” Apple’s head of security engineering, Ivan Krstić, wrote in a statement to WIRED. Apple has patched the issue that iVerify highlighted in its report, which caused iPhones to crash in certain cases when a message sender changed their own nickname and avatar. But it calls those crashes the result of a “conventional software bug,” not evidence of a targeted exploitation. (That blanket denial certainly isn’t Apple’s usual response to confirmed iPhone hacking. The company has, for instance, sued hacking firm NSO group for its targeting of Apple customers.)

The result is that what might have been a four-alarm fire in the counterintelligence world is reduced—for now—to a very troubling enigma.

**A 22-Year-Old Is Running a Key US Anti-Terrorism Program**

A 22-year-old former intern at the Heritage Foundation with no national security experience has reportedly been appointed to a key Department of Homeland Security role overseeing a major program designed to combat domestic terrorism.

According to Propublica, Thomas Fugate last month assumed leadership of the Center for Programs and Partnerships (CP3), a DHS office tasked with funding nationwide efforts to prevent politically motivated violence—including school shootings and other forms of domestic terrorism.

Fugate, a 2024 graduate of the University of Texas at San Antonio, replaced the former CP3 director, Bill Braniff, an Army veteran with 20 years of national security experience who resigned in March following staff cuts ordered by the Trump administration.

According to CP3’s most recent report to Congress, the office has funded more than 1,100 initiatives aimed at disrupting violent extremism. In recent months, the US has seen a string of high-profile targeted attacks, including a car bombing in California and the shooting of two Israeli Embassy aids in Washington, DC. Its $18 million grant program, designed to support local prevention efforts, is reportedly now under Fugate’s supervision.

**Threat Intelligence Firms (Finally) Agree to a Glossary of Hacker Group Names**

Hacker group names have long been an unavoidable absurdity in the cybersecurity industry. Every threat intelligence company, in a scientifically defensible attempt to not make any assumption that they’re tracking the same hackers as another firm, comes up with their own code name for any group they observe. The result is a somewhat silly profusion of overlapping naming systems based on elements, weather, and zoology: “Fancy Bear” is “Forest Blizzard” is “APT28” is “Strontium.” Now, several major threat intelligence players, including Google, Microsoft, CrowdStrike, and Palo Alto Networks, have finally shared enough of their internal research to agree to a glossary that confirms that they’re referring to the same entities. The companies did _not,_ however, agree to consolidate their naming systems into a single taxonomy. So this agreement doesn’t mean the end of sentences in security reporting such as “the hacker group Sandworm, also known as Telebots, Voodoo Bear, Hades, Iron Viking, Electrum, or Seashell Blizzard.” It just means we cybersecurity reporters can write that sentence with a little more confidence.

**Phone-Hacking Firm Corellium Acquired for $200 Million—After Trump Pardons Its Founder**

Chris Wade, the founder and CTO of mobile device reverse-engineering company Corellium, has had a wild last few decades: In 2005, he was convicted on criminal charges of enabling spammers by providing them proxy servers, and agreed to work undercover for law enforcement while avoiding prison. Then in 2020, he mysteriously received a pardon from President Donald Trump. He also settled a major copyright lawsuit from Apple. Now his company, which creates virtual images of Android and iOS devices so that customers can find ways to break into them, is being acquired by phone-hacking firm Cellebrite, a major law enforcement contractor, for $200 million—a significant payday for a hacker who has found himself on both sides of the law.

The Mystery of iPhone Crashes That Apple Denies Are Linked to Chinese Hacking

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.

The findings, published by cybersecurity researchers and detailed in a blog post by Symantec, reveal how extensions such as:

PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl)

Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh)

MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl)

SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab)

DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc)

There are other extensions as well that are handling user data in ways that open the door to eavesdropping, profiling, and other attacks.

****Extensions That Promise Privacy Are Doing the Opposite****

Although these extensions are legitimate and meant to help users monitor web rankings, manage passwords, or improve their browsing experience, behind the scenes, they are making network requests without encryption, allowing anyone on the same network to see exactly what’s being sent.

In some cases, this includes details like the domains a user visits, operating system information, unique machine IDs, and telemetry data. More troubling, several extensions were also found to have hardcoded API keys, secrets, and tokens inside their source code which is a piece of valuable information that attackers can easily exploit.

****Real Risk on Public Networks****

When extensions transmit data using HTTP rather than HTTPS, the information travels across the network in plaintext. On a public Wi-Fi network, for example, a malicious actor can intercept that data with little effort. Worse still, they can modify it mid-transit.

This opens the door to attacks that go far beyond spying. According to Symantec’s blog post, in the case of Browsec VPN, a popular privacy-focused extension with over six million users, the use of an HTTP endpoint during the uninstall process sends user identifiers and usage stats without encryption. The extension’s configuration allows it to connect to insecure websites, further widening the attack surface.

****Data Leaks Across the Board****

Other extensions are guilty of similar issues. SEMRush Rank and PI Rank, both designed to show website popularity, were found to send full URLs of visited sites over HTTP to third-party servers. This makes it easy for a network observer to build detailed logs of a user’s browsing habits.

MSN New Tab and MSN Homepage, with hundreds of thousands of users, transmit machine IDs and other device details. These identifiers remain stable over time, allowing adversaries to link multiple sessions and build profiles that persist across browsing activity.

Even DualSafe Password Manager, which handles sensitive information by nature, was caught sending telemetry data over HTTP. While no passwords were leaked, the fact that any part of the extension uses unencrypted traffic raises concerns about its overall design.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security commented on this, stating, _“_This incident highlights a critical gap in extension security – even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks._“_

He warned of consequences for unsuspecting users and advised that _“_Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behaviour across endpoints._“_

****Privacy and Data Security Threat****

Although none of the extensions were found to leak passwords or financial data directly, the exposure of machine identifiers, browsing habits, and telemetry is far from harmless. Attackers can use this data to track users across websites, deliver targeted phishing campaigns, or impersonate device telemetry for malicious purposes.

While theoretical, NordVPN’s latest findings spotted more than 94 billion browser cookies on the dark web. When combined with the data leaks highlighted by Symantec, the potential for damage is significant.

Developers who include hardcoded API keys or secrets inside their extensions add another layer of risk. If an attacker gets hold of these credentials, they can misuse them to impersonate the extension, send forged data, or even inflate service usage leading to financial costs or account bans for the developers.

****What Users Can Do****

Symantec has contacted the developers involved, and only DualSafe Password Manager has fixed the issue. Yet, users who have installed any of the affected extensions are advised to remove them until the developers fix the issues. Even popular and well-reviewed extensions can make unsafe design choices that go unnoticed for years.

Hackread.com recommends checking the permissions an extension asks for, avoiding unknown publishers, and using a trusted security solution. Above all, any tool that promises privacy or security should be examined carefully for how it handles your data.

Popular Chrome Extensions Found Leaking Data via Unencrypted Connections

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

We often write about important updates for the most popular browser, Google Chrome. Since it would be out of scope to post elaborate update instructions for every possible platform and operating system (OS)—like iOS, macOS, Windows, Android, etc.—we decided to turn this topic into a separate post that is easy to find (and link to). Also, keep in mind that not every update will be available for every platform or at the same time. You can find when the latest update for your operating system was released on this Google Chrome releases website.

Keeping your Google Chrome browser up to date is essential for security, performance, and access to the latest features. Whether you’re on Windows, Mac, Linux, Android, or iOS, updating Chrome is straightforward, if you know where to look.

But first a few words about the version numbers, because they can be confusing at times.

The Chrome version number consists of four parts separated by dots, like this:

**MAJOR.MINOR.BUILD.PATCH**

Each part has a specific meaning. In order of relevance they are:

*   **MAJOR**: This number increases with significant releases that may include major new features or changes. It usually raises in increments about 7 – 8 times per year, roughly every 6 weeks, reflecting Chrome’s release cycle.
*   **MINOR**: This number is typically zero and rarely changes. It mainly supports the versioning scheme but doesn’t usually affect how users track updates.
*   **BUILD**: This number increases steadily and represents a specific snapshot of Chrome’s source code at a given time. It advances with each new build candidate and is the key indicator of how recent the core code is.
*   **PATCH**: This number changes in increments for smaller fixes and security patches applied to a particular build. It resets with each new build and helps identify minor updates within the same build.

For example, a version like **137.0.7151.56** means:

*   Major version 137 (the milestone release)
*   Minor version 0 (standard)
*   Build number 7151 (the code snapshot)
*   Patch number 56 (the latest fix on that build)

**Why does the version number matter?**

The **BUILD** and **PATCH** numbers together uniquely identify the exact code you are running. Even if two versions share the same major number, a higher build or patch number means you have a newer, more up-to-date Chrome version.

Sometimes you might see slightly different patch numbers on the same major build, for example, **118.0.5993.117** vs. **118.0.5993.118**. This usually happens because Google released a quick fix or minor patch shortly after the initial release. Both are part of the same major update, but the higher patch number is newer.

**How to check if you have the latest version**

To verify your Chrome version:

1.  Open Chrome.
2.  Click the three-dot menu (⋮) in the top-right corner.
3.  Go to **Help** > **About Google Chrome**.

Chrome will display your current version and automatically check for updates. If a newer version is available, it will download and prompt you to relaunch once it’s ready updating.

Chrome is updating

**Update Chrome on Windows**

Method 1: Use Chrome’s built-in update feature

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) in the top-right corner.
3.  Hover over **Help**, then click **About Google Chrome**.
4.  Chrome will automatically check for updates and download them if available.
5.  Once downloaded, click **Relaunch** to complete the update.

To enable automatic updates for Google Chrome on Windows, ensure that the “**Automatically update Chrome for all users**” option is enabled in Chrome’s settings. You can find this setting by going to “**About Google Chrome**” within the Chrome settings. Closing and restarting Chrome may be required to apply the update. 

Method 2: using Windows Update (for Chrome Enterprise)

If your organization manages Chrome updates via Windows Update or group policies, updates may be automatic. Contact your IT admin if you don’t see updates.

Method 1: For each device

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) at the top-right.
3.  Select **Help** > **About Google Chrome**.
4.  Chrome will check for updates and install them automatically.
5.  Click **Relaunch** to finish updating.

You can also set up automatic browser updates for all users of your computer if Google Chrome is installed in your Applications folder. Go to “**About Google Chrome**,” and click **Automatically update Chrome for all users**.

Method 2: For Chrome Enterprise

As a Mac administrator, you can use Google Software Update to manage Chrome browser and Chrome apps updates on your users’ Mac computers.

**Update Chrome on Linux**

Chrome updates on Linux depend on your distribution and how you installed it.

For Debian/Ubuntu-based systems:

1.  Open a terminal.
2.  Run:

sudo apt update

sudo apt --only-upgrade install google-chrome-stable

3.  Restart Chrome to apply updates.

For Fedora/openSUSE:

1.  Open a terminal.
2.  Run:

sudo dnf upgrade google-chrome-stable

3.  Restart Chrome.

If you installed Chrome via a package manager, it should handle updates automatically when you update your system.

**Update Chrome on Android**

Chrome updates on Android are handled through the Google Play Store:

1.  Open the **Google Play Store** app.
2.  Tap your profile icon (top right).
3.  Select **Manage apps & device**.
4.  Under **Updates available**, look for **Chrome**.
5.  Tap **Update** next to Chrome if available.

Alternatively, if you have auto-updates enabled, Chrome updates automatically. To enable auto-updates for Android apps, open the Google Play Store, tap your profile picture, go to “Manage apps and device,” and then tap “Manage.” Select the app you want to update automatically, tap the “More” button, and toggle on “Enable auto-update.”

**Update Chrome on iOS (iPhone and iPad)**

Chrome updates on iOS come through the Apple App Store:

1.  Open the **App Store**.
2.  Tap your profile icon at the top right.
3.  Scroll down to **Available Updates**.
4.  Find **Google Chrome** and tap **Update**.

If auto-updates are enabled on your device, Chrome updates automatically.

Chrome in App Store’s recently updated section

**Updating Chrome on Chrome OS**

Chrome OS updates include Chrome browser updates:

1.  Click the time in the bottom-right corner.
2.  Click the **Settings** gear icon.
3.  In the left menu, select **About Chrome OS**.
4.  Click **Check for updates**.
5.  If an update is available, it will download and install automatically.
6.  Restart your Chromebook to complete the update.

Summary table of update methods

**Platform**

**Update Method**

**Notes**

Windows

Chrome Menu > Help > About Chrome

Manual or automatic update

macOS

Chrome Menu > Help > About Chrome

Manual or automatic update

Linux

Package manager commands

Varies by distro

Android

Google Play Store

Manual or automatic update

iOS

Apple App Store

Manual or automatic update

Chrome OS

Settings > About Chrome OS

System update

If you still have questions about updating the Chrome browser, let us know in the comments and allow us to update this article.

Tag

#google