Search engine giant Google is asking Chromebook users to update their devices after discovering a critical vulnerability in its two-factor authentication procedures. The vulnerability, named ‘built-in security key’, affects the Chrome OS feature, which allows the users to use the Chromebook device like a USB device or a Bluetooth security key. The attacker can exploit the flaw to compromise the private key and obtain users’ passwords and usernames.
With the Chrome OS feature, the Chromebook users can process the authentication with just a short press of the power button instead of waiting for onetime 2FA code. “We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the underlying ECC private key to be obtained,” Google said in a statement.
Google stated that Chrome OS v75 will release a new version 0.3.15 of the firmware to fix the issue.
Recently, Google revealed that scammers are making phishing attacks, by abusing Google Calendar services, to trick users into giving away sensitive information like passwords, card details, and other financial data. The threat intelligence and cybersecurity firm Kaspersky stated that it detected many unsolicited pop-up calendar notifications sent to Gmail users by cybercriminals as a sophisticated spam email attack.
“Spam and phishing threats that exploit non-traditional attack vectors can be lucrative for criminals, as they can often successfully trick users who might not fall for a more obvious attack. This is particularly true when it comes to trusted legitimate services, such as email calendar features, which can be exploited through so-called “calendar phishing,” Kaspersky explained.
The calendar phishing emails exploit the automatic addition and notification of calendar invitations feature for people using Gmail on their mobiles, according to Kaspersky.