About

Latest browser security news

Browser security is a huge concern for both individuals and organizations.

Common vulnerabilities, including insecure websites and malicious browser extensions, can impact any network, regardless of size.

In recent years, web browsers such as Firefox and Chrome have stepped up security measures to protect users from a range of browser security issues.

For all the latest reports on web browser security vulnerabilities and browser security news, keep up to date with The Daily Swig.


Password manager security

Which is the right option for me?14 February 2023Password manager securityWhich is the right option for me?

Google engineers plot to mitigate prototype pollution

06 February 2023Google engineers plot to mitigate prototype pollutionPlan to create boundary between JavaScript objects and their blueprints gathers momentum

Popular password managers auto-filled credentials on untrusted websites

20 January 2023Popular password managers auto-filled credentials on untrusted websitesDashlane, Bitwarden, and Safari all cited by Google researchers

CORS for concern

Tesla tackles misconfigurations that left internal networks vulnerable05 January 2023CORS for concernTesla tackles misconfigurations that left internal networks vulnerable

ConnectWise closes XSS vector for remote hijack scams

25 November 2022ConnectWise closes XSS vector for remote hijack scamsResearchers also applaud abandonment of customization feature abused by scammers

Google Roulette

Developer console trick can trigger XSS in Chromium browsers17 November 2022Google RouletteDeveloper console trick can trigger XSS in Chromium browsers

CSRF in Plesk API enabled server takeover

11 November 2022CSRF in Plesk API enabled server takeoverBugs in programming interfaces of web hosting admin tool patched

XMLDOM

Passport-SAML auth bypass triggers fix of critical, upstream bug08 November 2022XMLDOMPassport-SAML auth bypass triggers fix of critical, upstream bug

Office Online Server open to SSRF-to-RCE exploit

20 October 2022Office Online Server open to SSRF-to-RCE exploitBehavior functioning as intended, Microsoft reportedly says, and offers mitigation advice instead

Prototype pollution vulnerability in Chromium bypassed Sanitizer API

21 September 2022Prototype pollution vulnerability in Chromium bypassed Sanitizer APIIssue highlights the challenges of preventing client-side attacks

Back in fashion

Let’s Encrypt builds infrastructure to support browser-based certificate revocation revival13 September 2022Back in fashionLet’s Encrypt builds infrastructure to support browser-based certificate revocation revival

Bug Bounty Radar

The latest bug bounty programs for September 202202 September 2022Bug Bounty RadarThe latest bug bounty programs for September 2022

Browsers non-grata

German proposals will oblige government employees to use modern, secure web browsers15 August 2022Browsers non-grataGerman proposals will oblige government employees to use modern, secure web browsers

Browser-powered desync

New class of HTTP request smuggling attacks showcased at Black Hat USA11 August 2022Browser-powered desyncNew class of HTTP request smuggling attacks showcased at Black Hat USA

Microsoft Edge deepens defenses against malicious websites

09 August 2022Microsoft Edge deepens defenses against malicious websitesBrowser adds defense in depth to prevent abuse of unpatched vulnerabilities

XSS in Gmail’s AMP For Email earns researcher $5,000

05 August 2022XSS in Gmail’s AMP For Email earns researcher $5,000Researcher bypasses email filter with inspired style tag trickery

Chromium site isolation bypass allows wide range of browser attacks

04 August 2022Chromium site isolation bypass allows wide range of browser attacksFlaw that opened the door to cookie modification and data theft resolved

Google XSS vulnerabilities could lead to account hijacks

29 July 2022Google XSS vulnerabilities could lead to account hijacksReflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties

GPS hacker

Zero-days in tracking device pose surveillance, fuel cut-off risks20 July 2022GPS hackerZero-days in tracking device pose surveillance, fuel cut-off risks

Better identity security

W3C launches Decentralized Identifiers as a web standard20 July 2022Better identity securityW3C launches Decentralized Identifiers as a web standard

Tor Browser 11.5

New release enables users to automatically circumvent censorship19 July 2022Tor Browser 11.5New release enables users to automatically circumvent censorship

Vivaldi browser founder puts privacy at the center of development

13 July 2022Vivaldi browser founder puts privacy at the center of developmentA man for all four seasons

‘Dirty dancing’ in OAuth

Researcher discloses how cyber-attacks lead to account hijacking11 July 2022‘Dirty dancing’ in OAuthResearcher discloses how cyber-attacks lead to account hijacking

CWE Top 25

These are the most dangerous software weaknesses of 202205 July 2022CWE Top 25These are the most dangerous software weaknesses of 2022

Chromium browsers vulnerable to dangling markup injection

30 June 2022Chromium browsers vulnerable to dangling markup injectionFixed bug could allow attackers to extract sensitive information

Untrusted types

Researcher demos trick to beat web security protection in Google Chrome27 June 2022Untrusted typesResearcher demos trick to beat web security protection in Google Chrome

Hot tub hack machine

Jacuzzi customer details exposed by SmartTub web bugs, claims researcher21 June 2022Hot tub hack machineJacuzzi customer details exposed by SmartTub web bugs, claims researcher

Scroll to Text Fragment flaws

Attackers can use web browser feature to steal data, new research shows20 June 2022Scroll to Text Fragment flawsAttackers can use web browser feature to steal data, new research shows

WWDC 2022

Apple showcases next-gen security tech at annual developer event08 June 2022WWDC 2022Apple showcases next-gen security tech at annual developer event

HTTP/3 RFC

The backbone of the internet has received a major upgrade07 June 2022HTTP/3 RFCThe backbone of the internet has received a major upgrade

No patch on horizon for Horde Webmail zero-day

01 June 2022No patch on horizon for Horde Webmail zero-dayCSRF exploit requires user to open malicious email

Guzzle bug

Cookie leakage issue in PHP HTTP client prompts Drupal update27 May 2022Guzzle bugCookie leakage issue in PHP HTTP client prompts Drupal update

Tails users warned not to launch bundled Tor Browser

25 May 2022Tails users warned not to launch bundled Tor BrowserCritical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

Pwn2Own Vancouver

15th annual hacking event pays out $1.2m for high-impact security bugs23 May 2022Pwn2Own Vancouver15th annual hacking event pays out $1.2m for high-impact security bugs

Popular websites leaking user email data to web trackers

18 May 2022Popular websites leaking user email data to web trackersData harvested without consent and before forms are submitted in many cases, researchers claim

Facebook account takeover

Researcher scoops $40k bug bounty for chained exploit18 May 2022Facebook account takeoverResearcher scoops $40k bug bounty for chained exploit

Eternity malware

Swiss Army knife of cybercrime tools offers one-stop shop for data and crypto kleptomaniacs17 May 2022Eternity malwareSwiss Army knife of cybercrime tools offers one-stop shop for data and crypto kleptomaniacs

Firefox debuts improved process isolation to reduce attack surface

17 May 2022Firefox debuts improved process isolation to reduce attack surfaceThe goal was Win32k Lockdown – a serious step up in Windows security