Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser.
To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024.
“This will support developers in conducting
Related Posts
U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban
U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions against a dozen individuals serving executive and senior leadership roles at Kaspersky Lab, a day after the Russian company was banned by the Commerce Department.
The move “underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber Read More
Google Introduces Enhanced Real-Time URL Protection for Chrome Users
Google Introduces Enhanced Real-Time URL Protection for Chrome Users
[[{“value”:”Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites.
“The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” Google’s Jonathan Li and Jasika Bawa said.
“If we”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
XSS Vulnerabilities in Azure Services Let Attackers Execute Malicious Scripts
XSS Vulnerabilities in Azure Services Let Attackers Execute Malicious Scripts
Two severe vulnerabilities in Azure services, Azure Bastion and Azure Container Registry—that allow Cross-Site Scripting (XSS) by leveraging a flaw in the postMessage iframe have been discovered.
Cross-site scripting (XSS) is malicious scripts being unintentionally executed by users’ browsers after being injected by a threat actor into a reliable website.
Threat actors may acquire unauthorized access, compromise network systems, or even steal data when that happens.
Orca Security notified the Microsoft Security Response Centre (MSRC) to fix and validate the vulnerabilities; MSRC could reproduce the problems after being made aware of them.
According to reports, both vulnerabilities have been validated and addressed, necessitating no more action from Azure customers.
XSS Attack Flow With Embedded postMessage IFrames
Applications communicate messages from one window to another using postMessages. PostMessages have many security implications, too, and if they’re not done properly, they might constitute a significant security risk.
“The postMessage iframe vulnerability that we discovered in Azure Bastion and the Azure Container Registry allowed attackers to embed endpoints within remote servers using the iframe tag,” researchers said.
The cyber security team learned that by using this flaw in conjunction with improper postMessage origin validation, attackers might have possibly compromised sensitive data by executing malicious javascript code.
Additionally, a threat actor would need to undertake reconnaissance on several Azure services to identify vulnerable endpoints embedded inside the Azure portal that could be missing X-Frame-Options headers or have poor Content Security Policies (CSPs).
Azure XSS Attack Flow
The adversary might then create the necessary payloads by embedding the weak iframe in an actor-controlled server (like ngrok) and developing a postMessage handler that sends the malicious payload after analyzing the valid postMessages delivered to the iframe from portal.azure[.]com.
“As the victim accesses the page, the malicious postMessage payload is delivered to the embedded iframe, triggering the XSS vulnerability and executing the attacker’s code within the victim’s context,” researchers said.
Major consequences may result from this, such as unauthorized access to data, loss of administrative rights, data theft, unauthorized modifications, or interruption of Azure services.
The Azure Bastion Topology View SVG exporter or the Azure Container Registry Quick Start were found to be vulnerable to manipulation by a specifically constructed postMessage in a proof-of-concept (PoC) presented by Orca. This allowed the payload of an XSS to be executed.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
The post XSS Vulnerabilities in Azure Services Let Attackers Execute Malicious Scripts appeared first on Cyber Security News.
Cyber Security News