I know a lot of developers who got their start building Chrome or Firefox add-ons that include useful features that the browser itself didn’t have. Unfortunately, over the years, I’ve also seen a number of those add-ons get sold to companies that turned them into spyware, adware, or, as we reported this week, straight-up malware that can steal your browsing history, conversations with chatbots, and more. I think now is a good time to take a moment to remove any add-ons you no longer need or are outdated, don’t you?
Stay tuned on the add-on front, because we have even more bad news a little later on. Before we get to that, though, if you’re a Pornhub premium subscriber, keep an eye on your inbox: hackers have stolen over 94GB of search histories, viewing activity, and other data from subscribers. Here’s a simple opsec tip for my fellow adults in the room: never use your real name, real email address, or any other identifying information when engaging with adult content online. Use disposable email addresses, never use a username that can be traced back to any real handles you use online, and even consider virtual credit card numbers. Adult content is a goldmine for scammers looking to extort money, data, or worse.
Ironically, it’s tips like these that you’ll get when you read our annual roundup of the best security advice we’ve heard this year, all from experts, analysts, and some even from the crew here on the PCMag security team.
Meanwhile, in the wake of all these threats, Google announced this week that it’s retiring its dark web monitoring tool, which helps users determine if their data has been exposed. Luckily, if you were relying on it, you have much better options to turn to that will actively monitor and report to you if any of your data turns up in a breach.
Thousands of Firefox Users Compromised: 17 Extensions Hide Malware in Icons
If you thought that only Chrome users were at risk of malware-infested browser extensions, think again. Researchers at Koi Security identified 17 Firefox extensions that also host malware, hidden within their PNG icons. This attack method is known as steganography, where a payload or message is concealed within an image to evade detection. Sometimes used as a method of encryption, in this case, the PNG is actually a loader for the malware, which is then fetched from a remote server and runs irregularly, making it difficult to detect.
The actual malware is also quite nasty, performing a range of malicious actions, including hijacking affiliate links (which means the attacker receives a cut of your online purchases), tracking your browsing habits, stripping security headers from the sites you visit, and even bypassing captchas designed to block bots. I’m just skimming the surface here, and that’s the worst part. The malware actually does more, and is surprisingly sophisticated in evading detection.
Cybernews has the full list of offending extensions, most of which are actually still live in the Firefox add-ons marketplace. Among the extensions caught using the same tactics are a free VPN (called Free VPN Forever, which serves as another reminder that free VPNs often aren’t all they’re cracked up to be), a live translation add-on, a weather extension, and an MP3 downloader. Remember, just because an add-on is in the Firefox marketplace or the Chrome web store doesn’t mean it’s safe, or has even been reviewed recently for malicious code changes.
LastPass Hammered With $1.6M Fine for 2022 Breach Fiasco
In 2022, LastPass suffered a breach that resulted in a hacker obtaining encrypted copies of customer vaults, as well as personal information like names, email addresses, billing addresses, and IP addresses. Eventually, that breach was traced back to both the theft of some of the company’s source code earlier that year and a keylogger that had been planted on an employee’s home computer. Aside from the personal data that was lost, the only way anyone could make use of an encrypted vault was if they had the master password for it, but it wasn’t a good look for a security company, sadly.
Now, the UK’s Information Commissioner’s Office (ICO) has fined the company £1.2M (approximately $1.6M) as a result of the breach, according to The Register. The ICO stated that the breach ultimately impacted 1.6 million users in the UK alone and that the company fell short of the expectations that its customers had that it would keep their data safe and secure. Additionally, the ICO claimed that LastPass failed to implement the necessary security measures to protect its customers, and also suffered from organizational issues that should have been resolved. Our review of LastPass highlights several security issues, some of which remain unresolved, despite the company’s assertion that, following the 2022 breach, it has taken numerous steps to enhance security and regain customer trust.
Analysts Warn of Cybersecurity Risks in Humanoid Robots
Personally, I have no desire to have a humanoid robot in my home (it feels a little too close to owning a person, you know?) but that’s not stopping dozens of companies from unveiling their own, and as Dark Reading reports, having a humanoid robot in proximity to real, living, breathing humans comes with security risks that few of those companies, or the public, have considered.
Beyond the usual fears of Terminator-style violence (although the Chinese company EngineAI does have a humanoid robot called the “T800”), security analysts are more concerned in the short term with humanoid robots joining the array of smart home devices that are always connected, always listening, and always collecting data. The last thing you might want to learn is that the $5000 robot you purchased to fold your laundry and do your dishes is actually part of a botnet, or has been recording and sending all of your household conversations back to its manufacturer.
Dark Reading’s story also explains why robots are so hard to secure at this stage, too: They’re not like PCs, running specific software for specific systems; they’re networks of networks, systems with hundreds of embedded systems, and as of right now, no one makes security tools to keep them safe and secure.
About Our Expert
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
-
Petco Hack Exposes Millions, Temu Accused of Spyware, and Ransomware Payments Hit $4.5B—Are You at Risk?
-
5 Cybersecurity Disasters You Missed This Week: Airport Wi-Fi Hacks, Botnets, Spyware Extensions, and More
-
The Internet Is on Fire and the FCC Just Walked Away With the Extinguisher
-
The Password Was ‘Password’: Why Humans Keep Breaking the Internet
-
Oversharing, Weak Passwords, and Digital IDs: How Your Online Life Is Feeding Hackers, Scammers, and Governments
-
More from Alan Henry
