CERT-In Issues High-Security Risks On Google Chrome

Date: September 29, 2023

CERT-In has identified potential risks for users of Google Chrome that can lead to multiple vulnerabilities regarding their sensitive information. Read more.

Are you a daily user of Google Chrome? More than a million people use Google Chrome for a wide range of activities, from searching for something basic to making secure transactions globally. However, India's Computer Emergency Response Team, a government authority, has raised a high alert for all Google Chrome users to prevent a mass security breach. The warning comes from discovering multiple vulnerabilities that could potentially open doors for hackers, spammers, and DDOS agents. CERT-In is urging Google Chrome to take immediate action regarding mitigation steps for these vulnerabilities.

What’s The Threat?

People use Google Chrome for various needs. While some do not require us to enter our sensitive information, a lot do. Considering the normalization of online transactions, data sharing, and exchange of sensitive information over the internet with a nothing-will-happen mindset, the CERT-In finds these vulnerabilities a grave threat. These vulnerabilities could bypass security gates, execute arbitrary code, or lead to denial of service actions without notice. These actions can cause multiple forms of harm, from spamming to leaking money and personal data to unsolicited markets.

According to sources, the flaws in Google Chrome’s various extensions in some of the versions include a Heap buffer overflow error in WebP, inappropriate implementation in Custom Tabs, Prompts, Input, Intents, Picture in Picture, and Interstitials, as well as insufficient policy enforcement in Downloads and Autofill. Cybercriminals can easily access the data using these flaws and take advantage.

Who Is At Risk?

While CERT-In has urged the Google team to take all the latest versions of the app in cognizance, a particular set of prior versions are prone to these threats easily.

CVE-2023-4863 is a vulnerability that’s being actively exploited in the wild.  The software versions of Google Chrome vulnerable to these are:

• Google Chrome (Extended Stable Channel) versions prior to 116.0.5845.188 (for Mac and Linux)Google Chrome (Extended Stable Channel) versions prior to 116.0.5845.188 (for Mac and Linux)
• Google Chrome (Extended Stable Channel) versions prior to 116.0.5845.187 (for Windows)
• Google Chrome for Desktop versions prior to 117.0.5938.62 (for Mac and Linux)Google Chrome for Desktop versions prior to 117.0.5938.62 (for Mac and Linux)
• Google Chrome for Desktop versions prior to 117.0.5938.62/.63 (for Windows)

What Can You Do?

If you use Google Chrome to store personal and sensitive data, keeping them off the platform would be the best first step. For starters, remove all history, cookies, and personal data from the platform. Use a secure alternative payment gateway for transactions. The next step would be to update Google Chome to the latest version, automatically eliminating the security risks associated with prior versions. Use incognito mode to browse websites where you can potentially enter your personal data. Wait for the Google Chrome team’s notice regarding their steps, and try to minimize usage till then for preventive safety.