Chrome extensions with 1.4M installs covertly track visits and inject code

If you’ve installed any of these extensions, manually remove them stat.

Chrome extensions with 1.4M installs covertly track visits and inject code

(credit: Chrome)

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

Read 2 remaining paragraphs | Comments

Microsoft EU cloud revisions just so happen to exclude Google, Amazon

Move to appease EU partners bars running MS apps on competitors’ infrastructure.

Microsoft says its latest cloud licensing terms are meant to give customers more flexibility and cost control—just not on Amazon, Google, or Alibaba servers.

Enlarge / Microsoft says its latest cloud licensing terms are meant to give customers more flexibility and cost control—just not on Amazon, Google, or Alibaba servers. (credit: Getty Images)

Facing European antitrust scrutiny, Microsoft has made it easier to virtualize its software on non-Microsoft cloud infrastructure—just so long as that infrastructure isn't owned by notable competitors Amazon, Google, or Alibaba.

The conflict, months in the making, is striking for a company that has largely avoided the antitrust scrutiny of its rivals, and eagerly sought to distance itself from the anti-competitive complaints and government actions that beset Microsoft in the late 1990s.

Microsoft outlined the changes that would take effect on October 1 in a blog post. Nicole Dezen, chief partner officer, wrote that Microsoft "believes in the value of the partner ecosystem" and changed outsourcing and hosting terms that "will benefit partners and customers globally."

Read 9 remaining paragraphs | Comments

The 2023 Genesis GV60 is a strong contender for EV of the year

Some of the tech feels a bit gimmicky, but there’s a lot to like about this one.

The 2023 Genesis GV60 is the third E-GMP-based EV we've tested in the last few months, and like the other two it is extremely impressive.

Enlarge / The 2023 Genesis GV60 is the third E-GMP-based EV we've tested in the last few months, and like the other two it is extremely impressive. (credit: Jonathan Gitlin)

The rise of the Korean automotive industry over the past few years has been fascinating to watch. Years of lackluster products and difficult dealerships still carry some stigma, but the truth is that we haven't driven a bad new car from Hyundai Motor Group in some time. That's particularly true when it comes to its electric vehicles, especially those built using the company's latest platform, called E-GMP.

Kia and Hyundai have each delivered their first E-GMP EVs, and both have seriously impressed. Now it's time for Genesis to apply its first take on automotive luxury as applied to the E-GMP platform with this electric crossover, the GV60.

It builds on what we already knew to be a competent skeleton, adding a hefty dose of style, some intriguing convenience tech that might not be reliable enough just yet, and in the case of the all-wheel drive Performance version we tested, more than enough power. It's even what currently passes for reasonably priced in terms of specification, finish, and the generally over-exuberant state of the EV market, starting at $58,890.

Read 16 remaining paragraphs | Comments

CDC recommends BA.4/5-targeting COVID boosters from Moderna and Pfizer [Updated]

The new boosters are expected to start going into arms around Labor Day.

An Army veteran waits the recommended 15 minutes to see if he will have any adverse reactions after receiving his second COVID-19 booster shot at Edward Hines Jr. VA Hospital on April 1, 2022, in Hines, Illinois.

Enlarge / An Army veteran waits the recommended 15 minutes to see if he will have any adverse reactions after receiving his second COVID-19 booster shot at Edward Hines Jr. VA Hospital on April 1, 2022, in Hines, Illinois. (credit: Getty | Scott Olson)

Update 9/2/2022, 10:05 am ET: The Centers for Disease Control and Prevention signed off on the updated COVID-19 boosters from Moderna and Pfizer-BioNTech Thursday, allowing for the rollout of the second-generation vaccines to begin in the coming days.

The CDC's advisory committee—the Advisory Committee on Immunization Practices (ACIP)—met for a daylong meeting Thursday to review all of the data around the updated boosters, which have not yet completed clinical trials. The committee voted 13 to 1 in favor of recommending the boosters, which were authorized by the Food and Drug Administration on Wednesday. The sole dissenting vote was from pediatrician Pablo Sánchez of Ohio State University and Nationwide Children’s Hospital. Sánchez believes that second-generation shots will be safe and effective but felt it would be better to have the human clinical data in hand before rolling out the doses. "There’s a lot of vaccine hesitancy already," he said. "I just feel this was a bit premature."

Though other advisers expressed similar concerns about the lack of clinical data, the CDC—like the FDA—emphasized that the COVID-19 booster update was working much like the streamlined process for updating annual flu vaccines.

Read 15 remaining paragraphs | Comments

Google gives developers a way to sidestep Android 13’s one-way update

Google posts an anti-rollback workaround, but only for developers.

The Pixel 6 Pro.

Enlarge / The Pixel 6 Pro. (credit: Ron Amadeo)

With the rollout of Android 13 to the Pixel 6 and 6a, Google posted an interesting warning on the system image website: Once you flash Android 13, you can never go back to the old version. That's still the case for anyone wanting a fully functional phone, but now, Google has posted an Android 12 "developer support image" that will let developers roll back their phones even after upgrading. The "developer" branding on the image means it's not fully functional, but it will be good enough for app testing.

The reason for Google's one-way Android 13 update is a bootloader vulnerability. The bug is in the Pixel 6, 6 Pro, and 6a, so only those Pixels got a one-way update. Android 13 has a fix for the bootloader vulnerability, and to stop attackers from rolling back a device to get around the patch, the company triggered anti-rollback protection on the Pixel 6 and 6a. Anti-rollback protection blows a physical fuse inside the phone SoC. There are several of these fuses, and each OS version has a count of how many blown fuses it expects. If the number is too high, that means Google has flagged that OS as insecure and out of date, and it will no longer boot.

This "developer support image" is new territory for Google. The company says this special image of Android 12 fixes the bootloader bug and has the fuse counter incremented so it will still boot. It won't get any automatic updates, though, and it's not Compatibility Test Suite (CTS)‑approved. The CTS is a check that promises an OS is unmodified, not rooted, and secure, and some banking apps and online games require passing this check in order to work. You'll also have to do a full wipe of a device if you ever want to go back to the normal, "public" builds and updates.

Read 1 remaining paragraphs | Comments

Crypto firm accidentally gave $10.5M to sisters, now wants their $1.35M house

Australian judge decided whether court docs could be served by OneDrive link.

Crypto firm accidentally gave $10.5M to sisters, now wants their $1.35M house

Enlarge (credit: JR-stock | iStock / Getty Images Plus)

After a Crypto.com employee entered the wrong account number and mistakenly sent AU$10.5 million to an Australian woman who had requested an AU$100 refund, a court document shows it took seven months for the cryptocurrency exchange platform to discover its error. By that point, the transfer error could not be reversed, and some of the money had allegedly already been spent.

The recipient, Thevamanogari Manivel, didn’t notify Crypto.com, instead allegedly transferring funds to bank accounts held by her and her family. Crypto.com claims Manivel used the money to buy her sister a modern million-dollar house, complete with a home gym and theater.

Last Friday, Justice James Elliott, a judge for the Victorian Supreme Court in Australia, issued a default judgment in the case. This became necessary because, as Crypto.com alleged in the court document, Manivel and other named defendants, including her sister Thilagavathy Gangadory, failed to respond to a court summons.

Read 15 remaining paragraphs | Comments

Dell confirms some XPS 13 Plus laptop screens may detach inadvertently

Dell says it’s reaching out to affected customers, retailers to replace the PCs.

Dell XPS 13 Plus

Enlarge / Will this screen break before we finish our review? (credit: Scharon Harding)

The Dell XPS 13 Plus laptop released this year was billed as the fancier version of one of the most well-known thin-and-light laptops, the Dell XPS 13. The XPS 13 didn't necessarily need a fancier version, but added features like a capacitive touch function row and support for a higher wattage CPU gave Dell enough justification to produce a new SKU carrying the "Plus" moniker. Ironically, though, early versions of one of the highest configurations of the XPS 13 Plus have a problem that's surprising for a laptop with its background.

A Dell representative confirmed to Ars Technica today that an "early batch" of Dell XPS 13 Plus laptops with OLED screens "may become loose because of problems with the third-party adhesive used." The issue was reported on yesterday by The Verge.

According to the rep, "only a small number of screens will detach" from laptops of the impacted batch. Dell wouldn't provide an exact number of units affected, but the laptops in question seem to include the first XPS 13 Pluses sent out to reviewers and early purchasers. Dell's rep said that once the issue with the adhesive was discovered, Dell corrected its production process, so other units should not be affected. Units with LCD-LED screens are unaffected, Dell said.

Read 6 remaining paragraphs | Comments

Kubuntu Focus NX is a compact desktop with Intel Tiger Lake and Kubuntu Linux software

The developers of the Kubuntu operating system have been selling a line of Linux laptops under the Kubuntu Focus brand for the past few years. Now the team is branching out into desktops. The Kubuntu Focus NX is a compact computer with a 28-watt, 11th…

The developers of the Kubuntu operating system have been selling a line of Linux laptops under the Kubuntu Focus brand for the past few years. Now the team is branching out into desktops. The Kubuntu Focus NX is a compact computer with a 28-watt, 11th-gen Intel Core processor and support for up to 64GB of […]

The post Kubuntu Focus NX is a compact desktop with Intel Tiger Lake and Kubuntu Linux software appeared first on Liliputing.

Indie dev mounts successful sting operation against scammy Steam curators

“Reviewers” seemed focused on getting free game keys for resale, not playing.

Artist's conception of indie developer Fabrice Breton knocking out some scammy curators.

Enlarge / Artist's conception of indie developer Fabrice Breton knocking out some scammy curators. (credit: Steam)

Valve has removed a handful of Steam curator pages after a virtual sting operation exposed them as part of an apparent scam to acquire and resell free game keys.

In a Twitter thread posted earlier this week, Brok the Investigator developer Fabrice Breton discussed the flood of free game key requests he got from Steam curators after his game's recent launch. While some of those curator pages were no doubt legitimate, Breton suspected many more were scammers using artificially inflated curator pages to get free game keys. Those free keys could then be converted into cold hard cash through gray-market code resellers like G2A, thus eating into legitimate sales that provide profit to the developer.

To separate the scam curators from the real ones, Breton said he responded to those key requests with keys for the free, limited Prologue version of the game rather than the full release. While those keys would be indistinguishable from full ones before redemption, any curators actually interested in playing the game would quickly realize the difference and reach out about the problem.

Read 6 remaining paragraphs | Comments