An anonymous reader writes: SafeBrowse, a Chrome extension with more than 140,000 users, contains an embedded JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent. The additional code drives CPU usage through the roof, making users' computers sluggish and hard to use.

Looking at the SafeBrowse extension's source code, anyone can easily spot the embedded Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented with as an alternative to showing ads on its site. The extension's author claims he was "hacked" and the code added without his knowledge.

An anonymous reader quotes a report from VentureBeat: Mozilla today released Firefox 9.0 for iOS and updated Firefox Focus for Android. The iOS browser is getting tracking protection, improved sync, and iOS 11 compatibility. The Android privacy browser is getting tabs. You can download the former from Apple's App Store and the latter from Google Play. This is the first time Firefox has offered tracking protection on iOS, and Nick Nguyen, vice president of product at Mozilla, notes that it's finally possible "thanks to changes by Apple to enable the option for 3rd party browsers." This essentially means iPhone and iPad users with Firefox and iOS 11 will have automatic ad and content blocking in Private Browsing mode, and the option to turn it on in regular browsing. This is the same feature that's available in Firefox for Android, Windows, Mac, and Linux, as well as the same ad blocking technology used in Firefox Focus for Android and iOS.

Adrianne Jeffries, a reporter at The Outline, writes on W3C's announcement from earlier this week: The trouble with DRM is that it's sort of ineffective. It tends to make things inconvenient for people who legitimately bought a song or movie while failing to stop piracy. Some rights holders, like Ubisoft, have come around to the idea that DRM is counterproductive. Steve Jobs famously wrote about the inanity of DRM in 2007. But other rights holders, like Netflix, are doubling down. The prevailing winds at the consortium concluded that DRM is now a fact of life, and so it would be be better to at least make the experience a bit smoother for users. If the consortium didn't work with companies like Netflix, Berners-Lee wrote in a blog post, those companies would just stop delivering video over the web and force people into their own proprietary apps. The idea that the best stuff on the internet will be hidden behind walls in apps rather than accessible through any browser is the mortal fear for open web lovers; it's like replacing one library with many stores that each only carry books for one publisher. "It is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient," Berners-Lee wrote, "and one which makes it a part of the interconnected discourse of humanity." Mozilla, the nonprofit that makes the browser Firefox, similarly held its nose and cooperated on the EME standard. "It doesn't strike the correct balance between protecting individual people and protecting digital content," it said in a blog post. "The content providers require that a key part of the system be closed source, something that goes against Mozilla's fundamental approach. We very much want to see a different system. Unfortunately, Mozilla alone cannot change the industry on DRM at this point."

Starting next year, Google Chrome will only autoplay a given piece of content when the media won't play sound or the user has indicated an interest in the media. The company was experimenting with such an option last month, but now it looks to be part of the browser's roadmap. VentureBeat reports: Chrome 63 will add a new user option to completely disable audio for individual sites. This site-muting option will persist between browsing sessions, allowing users to customize when and where audio will play. Chrome 64 will take the controls to the next level. By this version, Google's browser will allow autoplay to occur only when users want media to play. Here is Google's timeline for making autoplaying sound more consistent with user expectations in Chrome: September 2017: Site muting available in Chrome 63 Beta, begin collecting Media Engagement Index (MEI) data in Chrome 62 Canary and Dev; October 2017: Site muting available in Chrome 63 Stable, autoplay policies available in Chrome 63 Canary and Dev; December 2017: Autoplay policies available in Chrome 64 Beta; January 2018: Autoplay policies available in 64 Stable.

An anonymous reader writes from a report via Bleeping Computer: Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers (mostly Monero), without their knowledge. The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code. The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser. Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites (currently mostly Ukrainian and Russian sites). Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

The biggest advertising organizations say Apple will "sabotage" the current economic model of the internet with plans to integrate cookie-blocking technology into the new version of Safari. Marty Swant, reporting for AdWeek: Six trade groups -- the Interactive Advertising Bureau, American Advertising Federation, the Association of National Advertisers, the 4A's and two others -- say they're "deeply concerned" with Apple's plans to release a version of the internet browser that overrides and replaces user cookie preferences with a set of Apple-controlled standards. The feature, which is called "Intelligent Tracking Prevention," limits how advertisers and websites can track users across the internet by putting in place a 24-hour limit on ad retargeting. In an open letter expected to be published this afternoon, the groups describe the new standards as "opaque and arbitrary," warning that the changes could affect the "infrastructure of the modern internet," which largely relies on consistent standards across websites. The groups say the feature also hurts user experience by making advertising more "generic and less timely and useful."

An anonymous reader quotes a report from Bleeping Computer: Mozilla will drop an iconic section of its UI -- the search bar -- and will use one singular input bar atop the browser, similar to the approach of most Chromium browsers. This change will go live in Firefox 57, scheduled for release on November 14, and will be part of Photon -- the codename used to describe Firefox's new user interface (UI) -- also scheduled for a public release in v57. Mozilla engineers aren't removing the search bar altogether, but Firefox will hide this UI element by default. Users can still re-enable it by going to "Preferences -> Search -> Search Bar" and choosing the second option. The current Firefox search bar is redundant since most of its features can be performed by the URL address bar.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

According to recent warnings issued by Avira, CSIS Security Group, and Kaspersky Lab, a virulent spam campaign has hit Facebook Messenger during the past few days. "The Facebook spam messages contain a link to what appears to be a video," reports Bleeping Computer. "The messages arrive from one of the user's friends, suggesting that person's account was also compromised." From the report: The format of the spam message is the user's first name, the word video, and a bit.ly or t.cn short-link. Users that click on the links are redirected to different pages based on their geographical location and the type of browser and operating system they use. It's been reported that Firefox users on Windows and Mac are being redirected to a page offering a fake Flash Player installer. Kaspersky says this file installs adware on users' PCs. On Chrome, the spam campaign redirects users to a fake YouTube page pushing a malicious extension. It is believed that crooks use this Chrome extension to push adware and collect credentials for new Facebook accounts, which they later use to push the spam messages to new users.

An anonymous reader writes: "Google engineers have added two new features to the Chrome browser that will alert users of extensions that hijack proxy settings or the new tab page," reports Bleeping Computer. Google has been testing these two techniques sparingly with a small subset of users for more than a year, but they have now landed in Google Canary. The techniques are used by malicious Chrome extensions to hijack traffic and insert ads, or to redirect search traffic to affiliate search engine programs. The addition of these popup alerts are part of Google's plan to fight malicious Chrome extensions that have been starting to plague the Web Store.

Yesterday, Android O officially became Android Oreo and started rolling out to Pixel and Nexus devices. While there are many new features available in the new OS, we thought we'd ask you: what are your favorite Android Oreo features? The Hacker News highlights eleven of the new features "that make Android even better" in their report: 1. No More 'Install From Unknown Sources' Setting: Prior to Android Oreo, third-party app installation requires users to enable just one setting by turning on "Install from unknown sources" -- doesn't matter from where the user has downloaded an APK file, i.e. from a browser, Bluetooth, transferred from a computer via USB or downloaded using another app. Android 8.0 Oreo has completely changed the way this feature works, bringing a much smarter and safer system called "Install other apps," in which a user has to manually permit 3rd-party app installation from different sources.
2. Autofill API Framework: Android 8.0 Oreo brings a built-in secure AutoFill API that allows users-chosen password manager to store different types of sensitive data, such as passwords, credit card numbers, phone numbers, and addresses -- and works throughout the entire system.
3. Picture-in-Picture: With Android Oreo, you can view a YouTube video while reading through a report in Word or be chatting on WhatsApp on your Android device -- thanks to Picture-in-Picture (PIP) feature.
4. Google Play Protect: Play Protect helps in detecting and removing harmful applications with more than 50 billion apps scanned every day.
5. Wi-Fi Aware (Neighborhood Aware Networking -- NAN): Android Oreo has added support for a new connectivity feature called Wi-Fi Aware, also known as Neighborhood Aware Networking (NAN), which allows apps and devices to automatically find, connect to, and share data with each other directly without any internet access point or cellular data.
6. Android Instant Apps: With Android 8.0 Oreo, you can now access a range of Instant Apps without downloading them.
7. Battery-Saving Background Limits: Google has blocked apps from reacting to "implicit broadcasts" and carrying out certain tasks when they are running in the background in an effort to enhance the battery life of Android device. Besides this, Android Oreo will also limit some background services and location updates when an app is not in use.
8. AI-based Smart Text Selection: Android Oreo brings the 'Smart Text Selection' feature, which uses Google's machine learning to detect when something like physical addresses, email addresses, names or phone numbers is selected, then automatically suggests the relevant information on other apps.
9. Notification Dots (Limit notifications): Oreo introduces Notification Dots that offers you to manage each app individually with "fine-grained control," allowing you to control how many notifications you see and how they come through.
10. Find my Device: Google has introduced a new feature, called Find my Device, which is a similar feature to Apple's Find my iPhone and allows people to locate, lock and wipe their Android devices in the event when they go missing or get stolen.
11. New Emoji and Downloadable Fonts: Android Oreo introduces 60 new emoji and a redesign of the current "blob" characters. The update also offers new color support to app developers and the ability to change or animate the shape of icons in their apps.

After the PlayStation 4's 5.0 update was leaked last week, Sony decided to officially reveal what's coming in the update. GameSpot highlights the new features in their report: Some of the enhancements center around streaming using the PS4's built-in broadcasting capabilities. PS4 Pro users will be able to stream in 1080p and 60 FPS, provided their connection is strong enough, and PSVR users will be able to see new messages and comments coming through while broadcasting. PSVR is also adding 5.1ch and 7.1ch virtual surround sound support. Next up, the PS4's Friends List is being updated with greater management tools, such as the ability to set up separate lists of friends. You'll be able to create a list of all the people you play Destiny with and send them all an invite, for example. This feature replaces the old Favorite Groups tab. In another move to help reduce the amount of time spent in menus, the Quick Menu is being updated to have more options. For example, you'll be able to check on download progress and see new party invites. You can also leave a party from within that menu and see your current Spotify playlist. Notifications are also being improved when watching films and TV, as you can now disable message and other notification pop-ups while watching media. You can also change how much of a message is displayed, as well as its color, when playing or watching any form of content.

Finally, Parental Control features are being overhauled in favor of what Sony calls "Family on PSN." This replaces the old Master/Sub account system; instead, one user is deemed the Family Manager, and they can set up other accounts and appoint them as a Parent/Guardian, Adult, or Child. Parents or Guardians can restrict Child accounts in their "use of online features and communication with other players, set restrictions for games, restrict the use of the internet browser, and set spending limits for PlayStation Store." Note that Sony says the first time any North American user tries to set up an Adult account, they will be charged $0.50 "to verify that you are an adult."

"Mozilla is prepping a new version of Firefox in an effort to rally in the race for browser supremacy," writes CNET's Matt Elliott, who decided to test drive a new nightly build of Firefox 57 which "promises fast speeds and a new look." An anonymous reader quotes their report: Firefox 57 has added a screenshot button in the top-right corner... It highlights different elements on a page as you mouse over them, or you can just click-and-drag the old-school way to take a screenshot of a portion of a page. Screenshots are saved within Firefox. Click the scissors button and then click the little My Shots window to open a new tab of all of your saved screenshots. From here you can download them or share them... The bookmark and Pocket buttons have been moved from the right of the URL bar to inside it, but the Page Actions button is new. Click it and you'll get a small menu to Copy URL, Email Link and Send to Device. The Page Actions menu also has bookmark and Pocket buttons, which seems redundant at first but then I realized you can remove those items from the URL bar by right-clicking them. You can't remove the new, triple-dot Page Actions button...

As with any prerelease software, Firefox Nightly 57 is meant for developers and will likely exhibit strange and unstable behavior from time to time. Also, there is no guarantee that the final release will look like what you see in the current version of Nightly. For example, I have read reports that the search box next to Firefox's URL bar may be on the chopping block. It's part of the design of the current Nightly build but I wouldn't be surprised if it gets dropped between now and November since most web users have grown accustomed to entering their search queries right in the URL bar. Just as you can with the current version of Firefox, however, you can customize which elements are displayed at the top of Firefox Nightly 57, including the search box.

An anonymous reader shares a WSJ article: The internet's global expansion is entering a new phase, and it looks decidedly unlike the last one. Instead of typing searches and emails, a wave of newcomers -- "the next billion," the tech industry calls them -- is avoiding text, using voice activation and communicating with images. They are a swath of the world's less-educated, online for the first time thanks to low-end smartphones, cheap data plans and intuitive apps that let them navigate despite poor literacy. Incumbent tech companies are finding they must rethink their products for these newcomers and face local competitors that have been quicker to figure them out. "We are seeing a new kind of internet user," said Ceasar Sengupta, who heads a group at Alphabet's Google trying to adapt to the new wave. "The new users are very different from the first billion." A look at Megh Singh's smartphone suggests how the next billion might determine a new set of winners and losers in tech. Mr. Singh, 36, balances suitcases on his head in New Delhi, earning less than $8 a day as a porter in one of India's biggest railway stations. He isn't comfortable reading or using a keyboard. That doesn't stop him from checking train schedules, messaging family and downloading movies. "We don't know anything about emails or even how to send one," said Mr. Singh, who went online only in the past year. "But we are enjoying the internet to the fullest." Mr. Singh squatted under the station stairwell, whispering into his phone using speech recognition on the station's free Wi-Fi. It is a simple affair, a Sony Corp. model with 4GB of storage, versus the 32GB that is typically considered minimal in the developed world. On his screen are some of the world's most popular apps -- Google's search, Facebook's WhatsApp -- but also many that are unfamiliar in the developed world, including UC Browser, MX Player and SHAREit, that have been tailored for slow connections and skimpy data storage.

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

An anonymous reader shares a report: Earlier this year, Google was rumored to be working on a built-in ad blocker for its Chrome browser. The new ad blocker inside Chrome won't block every ad you see on the web -- instead, it'll only block ads that are considered intrusive and go against the standards set by the Coalition for Better Ads. Google has started testing the new built-in ad blocker for Chrome today on the desktop and Android devices. The latest canary release for Google Chrome includes a new option under Chrome's Settings where you can enable the new ad blocker inside Chrome. Users can enable the new feature by going to the Content options inside Chrome's settings page (chrome://settings/content/ads). The built-in ad blocker should automatically block ads that are considered "intrusive." But Google Chrome also lets you strictly block ads on certain sites, and you can also choose to allow ads on certain sites if you'd like.

An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.

Adobe said on Tuesday it will stop distributing and updating Flash Player at the end of 2020 and is encouraging web developers to migrate any existing Flash content to open standards. Apple is working with Adobe, industry partners, and developers to complete this transition. From a blog post: Apple users have been experiencing the web without Flash for some time. iPhone, iPad, and iPod touch never supported Flash. For the Mac, the transition from Flash began in 2010 when Flash was no longer pre-installed. Today, if users install Flash, it remains off by default. Safari requires explicit approval on each website before running the Flash plugin.

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.