MacInTouch Amazon link...

Google (and Chrome) security issues

Channels
Security


The new web version of Google News is an unfortunately bad example of the corporate quest for data. Instead of letting you set up your own preferences of what you want to see and how you want news ordered, they now will only accommodate your preferences if you say you like or don't like certain stories, thus building up more data on you.
 


The new web version of Google News is an unfortunately bad example of the corporate quest for data. Instead of letting you set up your own preferences of what you want to see and how you want news ordered, they now will only accommodate your preferences if you say you like or don't like certain stories, thus building up more data on you.
Oh, so that's what happened. I was wondering where all my old preferences went. Corporate makeover, indeed. The new version is rather limited.
 


The new version is insane, really. Sources that are truly credible are lined up with propaganda mills; there are more “you won’t believe what crazy thing happened at this store” stories than actual information pieces. Interspersed with it all are local papers with “big stories” that only affect some small town anywhere in the country but where you live — but have headlines that make their stories seem to be relevant. Their algorithm has run amuck... or maybe they are hoping we will all start liking/blocking stories so they can learn more about us.
 


The new version is insane, really. Sources that are truly credible are lined up with propaganda mills; there are more “you won’t believe what crazy thing happened at this store” stories than actual information pieces. Interspersed with it all are local papers with “big stories” that only affect some small town anywhere in the country but where you live — but have headlines that make their stories seem to be relevant. Their algorithm has run amuck... or maybe they are hoping we will all start liking/blocking stories so they can learn more about us.
On my end, the "For You" news is not that far off the mark in terms of sources but there's no way I can find to shut parts of it off. For example, I'm not interested in "entertainment" news and most sports (aside from the World Cup), but I get them anyway, along with reports about new online games (not interested), game hardware (not interested), and so on. It's also clear, they use tracking to determine what they show you. So stuff I'm marginally interested in or might look at somewhat randomly gets a block of news. All the fine tuning is gone.
 


What's odd and rather frustrating is that I can still look at the old Google News, because I have it bookmarked as my home page. But none of the links out work; click on them and they take you to the awful new Google News. I'm looking for a replacement Web aggregator that isn't any more annoying.
 


If you're willing to hand-pick your sources, there are several web-based RSS readers that may do the trick for your. I've been using Feedly for a few months and have been generally happy with the result. I see everything in the feeds I select and nothing else.
 


What's odd and rather frustrating is that I can still look at the old Google News, because I have it bookmarked as my home page. But none of the links out work; click on them and they take you to the awful new Google News. I'm looking for a replacement Web aggregator that isn't any more annoying.
I used to use a site called MyWay, but it went defunct years ago. Since then I use My Yahoo as an aggregator. It has been degrading over the past few years, with more and more click bait and one MarketWatch story from May 20167 stuck in that content box. However, it is still the one place I know about that lets me choose the content providers (including BBC, Reuters, NPR, although AP stopped working a couple of months ago) and move the content boxes into an order or arrangement that I prefer. Now that they keep pestering me with updated Oath privacy policy, which, among other things, seems to give me no option but to allow them to follow me wherever I go on the Web, I'm also looking for a replacement, so I'm very interested in anything anyone has to offer!
 


If you're willing to hand-pick your sources, there are several web-based RSS readers that may do the trick for your. I've been using Feedly for a few months and have been generally happy with the result. I see everything in the feeds I select and nothing else.
Another vote for Feedly! I've been using Feedly as an aggregator for years now, ever since Google cancelled their service. For an actual reader I use the app "Reeder" on both the Mac and iOS. Like David, I find it provides just what I ask for and it also syncs perfectly between the devices.
 


The setting described below and in the article appears to be only for Android. The article isn't perfectly clear about iOS. In my iPhone's Settings, Google Maps is set so Location is "While Using." I have not logged into my Google account in Google Maps. I'd delete Google Maps but Apple Maps often lacks adequate info.
AP News said:
Google tracks your movements, like it or not
Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.

Computer-science researchers at Princeton confirmed these findings at the AP’s request.

... Google says it is being perfectly clear.

“There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services,” a Google spokesperson said in a statement to the AP. “We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called “Web and App Activity” and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.
 


If nothing else, Google is at fault for not being perfectly clear about the data it collects and for not giving the schools and parents the information they need to opt-out.
Missouri Education Watchdog said:
What’s stored in your school Google Drive account? You might be surprised.
School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user.
Fox 5 KRBK said:
Family claims SPS Google Drive is storing personal information
A local family has claimed that the Springfield Public School System is accessing their personal accounts and storing their private information on the system's Google Drive without their permission.
...
With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children.
 


Google Drive, like iCloud Drive and Microsoft One Drive, is supposed to create a virtual folder on your computer that is synced with the Google cloud server.

The news articles imply (but don't state) that the software is secretly sucking up all files stored on all your computers, phones and tablets. I find this a bit hard to believe. I think it is more likely that users are storing files on the shared drive without realizing that it is constantly synced to the cloud. Or maybe the default configuration is syncing an unexpected location (like the user's Documents folder).

Does anyone know what's really going on here?
 


Google Drive, like iCloud Drive and Microsoft One Drive, is supposed to create a virtual folder on your computer that is synced with the Google cloud server.... Does anyone know what's really going on here?
I'm looking forward to an in-depth analysis of this.

A client's company shares confidential info via Dropbox. They had no idea that the local Dropbox folder is not encrypted unless the disk or home folder is encrypted. I think all cloud storage providers need to be more proactive about making this perfectly clear.
 


I'm looking forward to an in-depth analysis of this. A client's company shares confidential info via Dropbox. They had no idea that the local Dropbox folder is not encrypted unless the disk or home folder is encrypted. I think all cloud storage providers need to be more proactive about making this perfectly clear.
I read somewhere that a major purpose for weather apps is to collect location data. Weather apps are typically an app where one would turn on location services, in order to get localized weather or weather warnings, as in tornado warnings.

There are articles describing how your wifi in your phone is being used to track you as you walk down a street or walk into a store.

I wonder if it is hopeless to conceal your persona from the internet. Maybe all you can do is reduce somewhat the quantity of information that is being extracted from you.
 


BleepingComputer said:
Bitdefender Disables Anti-Exploit Monitoring in Chrome After Google Policy Change
... Bogdan Botezatu, a senior e-threat analyst for Bitdefender ...
"Starting with the Chrome browser version 66, Google has gradually rolled out a new feature that prevents third party software from monitoring the application’s processes. While this measure ensures that rogue applications do not interfere with the Google product, it also prevents security solutions from inspecting the browser’s memory in search of potentially dangerous exploit code."

With version 66, Google Chrome displays a post-crash warning asking users to remove the security solution if it monitors the browser’s processes, even if the security solution is not responsible for the respective crash. In order to prevent this message from occurring and having users unwarily uninstall the security solution - which would leave them exposed to a vast array of online threats, Bitdefender has issued an update to stop the Anti-Exploit technology from monitoring the Chrome browser.
...
Pedro Bustamante, Vice President Products & Research at Malwarebytes ...
"I was going to mention that in the current implementation, Chrome doesn’t actually check whether the “incompatible app” is actually causing crashes or not. They are simply taking a list of popular apps and adding them to their warnings, regardless of whether those apps introduce crashes, conflicts, or any other issues. They do this by simply looking at a registry key to see if a particular app is installed or not. They don’t actually validate whether the app causes crashes."
 


Google's Security Checkup now flags macOS as insecure and wants you to block it from access to email, contacts, calendar and other services. I assume what they are trying to do is block you from using Apple Mail or other email clients. No thank you!
 


Summary: Check your settings/preferences in Chrome/Chromium, as the recent update to v. 70 changed mine.

At home and work I use Google Chrome to access my GSuite work Gmail, and use Chromium for my personal account (mostly Linux, Mac sometimes).That's kept them separate. I use Firefox to browse and have recently been using the EU version of StartPage as my search engine.

Both Chrome and Chromium just updated to Version 70.+

I do wish I could be certain I opened Chrome first, but when I opened Chromium, I noticed it was already logged into my GSuite work identity. Keeping those two identities separate seems in my interest, and in the interest of the organization where I labor.

There was a kerfuffle about Google changing Chrome(s) so that logging into, e.g., Gmail on Chrome would log a user into the Chrome browser and possibly Chrome sync. I had seen nothing saying Chromium would pick up signals from Chrome. In the past, they had been as separate from each other as is Firefox or Safari.

The good news, if any, is that "browser sync" was off in both browsers.

The bad news: after I cleared my GSuite ID from both browsers, and cleared the cookies that would have surely restored the ID, I had to go back into settings and re-enable my "some hope of privacy" settings, including disabling one I had not noticed before that was on by default: "Allow sites to check if you have payment methods saved."
 



More reason to not trust Google and its products.
Gizmodo said:
Google's Plan to Limit Ad Blockers on Chrome Riles Developers
The proposed design changes would replace the API relied upon by privacy extensions like uBlock and Ghostery with another designed to “diminish the effectiveness of content blocking and ad blocking extensions,” the Register reported on Tuesday. The proposal would leave functional basic filters employed by Adblock Plus, which, the site noted, Google has reportedly paid to whitelist its own ads.
 



More reason to not trust Google and its products.
Read deeper, following links, and Google is possibly "backing down."

Way back, when Android was much more an open environment, I rooted my Nexus One, which was not difficult, and installed AdAway, a local hosts program from the Google App Store. The first real sign Google was putting its interests in Android ahead of users was banishing AdAway. AdAway is still available on the F-Droid "open source"store, but rooting is much more difficult now, and with phones costing so very much, the risk of bricking one a major disincentive.

Recently, Google moved to block apps from accessing SMS. One of the most significant Android apps is Tasker, an app that is essentially an "if this, then that" programming environment and a hallmark of things possible in Android. Tasker, as an example, can observe that a user is leaving a known WiFi location (say, work) and send an SMS message that the user has left work and is (presumptively) on the way home.

A likely reason Microsoft is abandoning its own browsing engine for Chromium is that no one was writing extensions for Edge. By re-basing Edge on the open-source Chromium, it immediatly gains access to the huge and valuable inventory of Chromium/Chrome extensions. The downside is that while Google has worked to keep Chrome "safe" with sandboxing and more, extensions have been security holes. The theory offered by Google for the proposed change was to plug those holes. Oh, and just a side effect that you users shouldn't mind, uBlock Origin and other extensions that spare users from annoying ads and their systems from malware-spitting internet sources just won't work.

Same with Android apps, some of which I remember burning up SMS allocations by sending spurious messages - not so dangerous economically in the US, where SMS plans are "unlimited," but in other countries where they remain expensive per message.... Ultimately, user outcry resulted in Tasker receiving an exception to SMS denial.

I disabled Chrome on my Android phone. Firefox on Android runs the full version of uBlock Origin and other privacy extensions. Chrome on Android has no extensions, ties into apps on the phone through Android System Webview, which can't be disabled without root, and is all a part of how Google monetizes user experiences by putting "stuff" before users we probably don't want, don't need, but many find diverting.

My opinon is that Google has become too sophisticated in how it manages its assets (Chromium, Chrome, Gmail, Android, Assistant) for its own good. The next version of Android (Q) is apparently going to provide carriers even more ways to lock phones - “carrier restriction enhancements for Android Q”. That may help persuade carriers to stock Android devices, but not end-user enhancements in any way. There may a a limit to what users will tolerate, not that the only alternative, iOS, is much different. After all, Siri relies on Google, and Google's bought its way into Apple search.
 


My wife informed me yesterday that she'd been hearing things on the cable network news that the Nest security cameras were incredibly easy to hack (a "white hat" hacker apparently had done a "proof of concept attack" by logging in to a user's camera and shocking her by announcing his presence verbally).

The inference was that Google has known about this vulnerability for a long time and hasn't fixed it. I don't know whether we should abandon these devices, attempt to return them to Google, or wait for a software update. I guess I'll start by calling Nest support.

Anyone else have information on this?
 


... Anyone else have information on this?
I don't know about that specific attack, but I just read this article:
Naked Security said:
Hijacked Nest cam broadcasts bogus warning about incoming missiles
A hacker took over a Nest security camera to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea, sending a family into “five minutes of sheer terror.”

... The couple eventually realized that the warning was coming from their Nest security camera, perched on top of the TV. After multiple calls to 911 – the US emergency number – and to Nest, they eventually figured out that they’d been the victims of a prank. A Nest supervisor told them on Sunday that they’d likely been victims of a “third-party data breach” that gave the webcam hijacker access to the Nest camera and its speakers.
 


My wife informed me yesterday that she'd been hearing things on the cable network news that the Nest security cameras were incredibly easy to hack (a "white hat" hacker apparently had done a "proof of concept attack" by logging in to a user's camera and shocking her by announcing his presence verbally).

The inference was that Google has known about this vulnerability for a long time and hasn't fixed it. I don't know whether we should abandon these devices, attempt to return them to Google, or wait for a software update. I guess I'll start by calling Nest support.

Anyone else have information on this?
Yes, there was no hack. The "hacker" simply used a password that the Nest user had used for several services, one of which had a leak so their password and email address combination was known to bad guys.

No, Nest Cams are not being hacked to issue fake nuclear bomb threats​
 


Ric Ford

MacInTouch
There's a Google Chrome zero-day being actively exploited in the wild, though Google didn't disclose that for a while...
Bleeping Computer said:
Google Chrome Update Patches Zero-Day Actively Exploited in the Wild

Google updated the release announcement for the Chrome web browser version 72.0.3626.121 with a warning that the 0day patched in the release is being actively exploited in the wild.

After initially publishing the 72.0.3626.121 update on March 1 with no mentions of the security flaw being abused, the Chrome team modified the announcement with exploitation information for the vulnerability stating that "Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild."
 


Is anyone else running into automatic update failures with Chrome when trying to go from Version 75.0.3770.90 to Version 75.0.3770.100?

I thought I'd mention it here in case others might think they're up-to-date while their auto-updates may be failing. Here is my bug report:
  • Chrome automatic update from Version 75.0.3770.90 to Version 75.0.3770.100 is failing on multiple Macs with Error 12
  • Macs are running macOS 10.12.6 through 10.15 beta 1.
  • Can only move to Version 75.0.3770.100 by manually installing full version of Chrome from downloaded googlechrome.dmg.
Version 75.0.3770.90 (Official Build) (64-bit)
Update failed (error: 12)
Error details:
KSInstallAction install script failure. Exit code: 12. Standard error output: "goobspatch: old hash mismatch: 45447c432897cca06be7a23029ac656056afda95 != fda7841238dd407b52bbb85d8fe53e2c18381bae\ndirpatcher.sh: couldn't create /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/75.0.3770.100/Google Chrome Framework by applying /tmp/KSInstallAction.gFm4caJddk/m/.patch/framework_75.0.3770.90_75.0.3770.100.dirpatch/Google Chrome Framework$gbs to /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/75.0.3770.90/Google Chrome Framework\n.keystone_install: dirpatcher of versioned directory failed, status 13\n".
 


Is anyone else running into automatic update failures with Chrome when trying to go from Version 75.0.3770.90 to Version 75.0.3770.100?...
I am running El Capitan, OS X 10.11.6, on a late 2011 iMac (BTW, planning to get new iMac this fall). I have Google Chrome, and the update to 75.0.3770.100, probably automatic, went well. Of course, El Capitan is not in the list that is referenced above.
 


Is anyone else running into automatic update failures with Chrome when trying to go from Version 75.0.3770.90 to Version 75.0.3770.100?
My updates with macOS 10.13.6 and 10.14.5 went smoothly, but I have seen those same reports from others. Google's recommended solution is to uninstall Chrome and download their installer, much as you suggested.
 


It can be difficult to find other details, and Apple hides parts of its privacy policy until you enable certain features:
https://www.apple.com/legal/sla/docs/macOS1013.pdf ...
Great job finding that information, and highlighting important parts.

This week ZDNet tech journalist Matt Miller wrote how a SIM "hack" of his T-Mobile account lost his GMail account. And because he'd stored passwords, financial documents, and tax returns in Google Drive in plain text, pretty much everything else.

He was very lucky his bank's fraud unit intercepted a $25,000 purchase of Bitcoin that would have been charged to his associated credit card through overdraft protection.

If you want to learn specifics about Matt's story, I'd recommend starting on the Chromebook blog post published by his podcasting partner, Kevin Tofel. Kevin's coverage seems clearer than Matt's own; it includes a link to their podcast discussion:

Takeaways:
  1. Disable SMS, known to be vulnerable, from two-factor authentication.
  2. Perhaps go further, and disable use of voice calls to your cell phone.
  3. Pre-encrypt any password files uploaded to any cloud service. Same for any confidential documents.
  4. Disable overdraft protection on your bank accounts. Check back from time to time to be sure it stays disabled. Better an overdraft charge than a large theft from your account you have to pay back.
Matt's disaster sent me to look at my personal and G Suite accounts. I found that while my cell phone was low on the list of two factor options, it was on the list. Visiting the page to initiate a lost password reset request to Google, there was that option to get the code through a voice or SMS to my cell. I removed the option.

I'm still puzzling over risks from how my varied accounts inter-connect. My Google accounts refer to my iCloud email, and iCloud back to Google.

Not long ago, I set up some new iPads. When Apple asked for a confirmation phone to send, I used Google Voice, which worked. Since I'm not deeply embedded in iOS and Apple's authentication systems, I don't know if that's a particular risk after initial setup, if the related Google account is hacked?

Working through steps to "harden" my Google accounts, I visited privacy settings. They're quite different in G Suite and my personal GMail account, with free GMail being far more wide open.

I've tried to corral my exposure to tracking and data exfiltration by using Firefox for browsing and search through the EU version of Startpage. I use Chrome for G Suite email and services, Chromium for my personal "free" GMail and services.

Yet the following setting (which reminds of Ric's post about Apple settings) was On by default in my personal GMail. I don't know if it just happened before without Google telling us, or if the notice was always there, and though I'd set privacy terms up in the past, just hadn't noticed it, or if it's new:
Google Support Accounts said:
Manage Device Information setting
The Device Information setting saves a copy of some information from your phone or tablet, including:
Contacts​
Calendars​
Apps​
Music​
Information about the device, like battery level​
No idea how far out of Chromium's (or Chrome's) "sandbox" that enables Google to roam. Does the reference to "phone or tablet" exclude computers? Seems that's a lot of "stuff" many computer users think is local-only that Google is authorizing itself to harvest.
 


Brian Krebs has good coverage about SIM swapping on his website, including:

and

The comments section for the second story has a discussion about how to set up Google Voice to replace SIM-based SMS 2FA. I've done it successfully on several accounts where there is no alternative to SMS. As well, I still have a POTS line (which, of course, an attacker would find difficult to gain control of ,as with Google Voice) that can serve as either a primary or backup second factor in place of SMS.

I have been using this setup for almost a year now without any problems. The initial switchover takes some time, but now "it just works".
 


Ric Ford

MacInTouch
This looks pretty bad, but the cause is unclear at the moment:
BleepingComputer said:
Avid Users Are Suddenly Finding That Their Macs Won’t Boot
Avid video editors have started reported that when they shutdown their Macs, they will no longer boot up afterwards. It is not known exactly what is causing this issue, but it appears to be affecting older versions of Mac OS X who have the Avid Media Creator software installed.

... While there has not been any word from Apple or Avid about this issue, a post from the Avid Editors Facebook page states that Macs running OS X 10.13.x and earlier that have Avid Media Creator installed will suddenly find that their account has been changed to a Standard user and may receive an error regarding their iLock license, which will cause their Mac to no longer be able to boot.
 




Also, there is an app called Google Update Uninstaller (which appears to date from 2011!) available from
which I installed on my system years ago to resolve a long-forgotten issue.

Multiple caveats: the app is discontinued and no longer supported, and although it appears to run on my Mojave 10.14.6 system, I have no idea whether one would need to disable SIP to allow it to do its thing. Caveat emptor, and so on.
 


A post late yesterday from Google support claims "If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you."

It includes instructions on how to recover. It is not clear from the posts on the MrMacintosh site if the problem is limited to that group.
 


Here's extensive information about the nasty, invisible Google updater bug that disables Macs:
People with Hackintoshes and people who have installed the DosDude1 patches to run unsupported versions of macOS on older hardware should check their systems for the Google updater issue now, as disabling SIP is necessary for their systems to run.

Unfortunately, this probably isn't the last time we'll see this class of bug, as developers likely are now only testing their software on SIP-enabled machines.
 


FWIW, I also wrote an Applescript back in 2009 that removes the Google SoftwareUpdater and creates 3 locked folders in the places it tries to put files, so it can't reinstall itself, just because I didn't like Google messing with my software installs and not telling me about it.
 


Unfortunately, this probably isn't the last time we'll see this class of bug, as developers likely are now only testing their software on SIP-enabled machines.
I want to know what Google was smoking that would cause an application updater, even by accident, to unlink /var. That's like deleting the kernel. Things like that don't happen "by accident", and I would like to know what they thought they were trying to do.

As for testing, it also proves that Google doesn't check error logs as a part of their alleged test process. Looking at the screenshot on the MrMacintosh site, we can see that SIP logged a sandbox violation at the attempt. Clearly, Google either didn't look at the system log or they ignored the error.
 


Ric Ford

MacInTouch
Here's an illustrated remediation procedure for people hit by Google's silent Mac-killer Chrome updater:
DerFlounder said:
Google Keystone update breaks Macs’ ability to boot if System Integrity Protection is disabled
On Macs where SIP was disabled, this protection did not apply and the Keystone update was able to remove the /var symlink. This symlink is not a directory itself, but points to another directory (/private/var) which contains software necessary for the operating system to boot and function correctly, so removing the /var symlink rendered the affected Macs unbootable.

As mentioned previously, Google has pulled the problematic Keystone update and has published instructions on how to remediate affected Macs. For more details, please see below the jump.
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts