Google offers high-risk Chrome users additional scanning of risky files

Google is providing a new “risky files” scanning feature to Chrome users enrolled in its Advanced Protection Program (APP).

Chrome scanning risky files

About the Advanced Protection Program

Google introduced the Advanced Protection Program in 2017.

It’s primarily aimed at users whose accounts are at high risk of compromise through targeted attacks – journalists, human rights and civil society activists, campaign staffers and people in abusive relationships, executives and specific employees – but anyone can sign up for it.

It offers:

  • Anti-phishing protection, as attackers can steal users’ credentials, but they need the security key/smartphone that’s in the user’s possession to gain access to the account
  • Extra protection from harmful downloads
  • Protection from malicious third-party apps that may want to access users’ Google Account.

Some features, like the one announced on Wednesday, will work only if the user uses Google Chrome and is signed into it with their Advanced Protection Program identity.

Additional scanning

Chrome started warning APP users when a downloaded file may be malicious last year, but now it will also give them the ability to send risky files for additional scanning by Google Safe Browsing’s full suite of malware detection technology before opening them.

“When a user downloads a file, Safe Browsing will perform a quick check using metadata, such as hashes of the file, to evaluate whether it appears potentially suspicious. For any downloads that Safe Browsing deems risky, but not clearly unsafe, the user will be presented with a warning and the ability to send the file to be scanned,” Chrome engineers explained.

“If the user chooses to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis techniques in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will warn the user. As always, users can bypass the warning and open the file without scanning, if they are confident the file is safe. Safe Browsing deletes uploaded files a short time after scanning.”

Aside from helping users, the new feature is expected to help Google improve their ability to detect malicious files.

State-sponsored actors may have abused Twitter API to de-anonymize users

A Twitter API that’s intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.

de-anonymize Twitter users

How did it happen?

“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” Twitter shared on Monday.

“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors.”

Malicious actors (whether state-sponsored or just fraudsters motivated by money) who can match Twitter usernames to phone numbers can not only unmask users that might want to remain anonymous on the microblogging service, but could also use that information to perform SIM swapping attacks and receive the second authentication factor needed for hijacking accounts additionally secured via 2-factor authentication.

The company did not mention it in the advisory, but the trigger for the investigation was a security researcher’s months-long effort of exploiting a flaw in Twitter’s Android app that allowed him to match 17 million phone numbers to Twitter user accounts.

Apparently, the API endpoint did not accept lists of phone numbers in sequential format, but the researcher got around this flimsy protection by generating more than two billion phone numbers, randomizing them, then uploading them to Twitter via the Android app.

What now?

This specific bug was present only in the app’s upload feature and has since been fixed.

“The endpoint matches phone numbers to Twitter accounts for those people who have enabled the ‘Let people who have your phone number find you on Twitter’ option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter explained.

After the investigation, the company made “a number of changes to this API endpoint so that it could no longer return specific account names in response to queries.”