Chrome 136 Closes 23-Year Privacy Loophole in Browsing History
Google is rolling out a critical update in Chrome 136 that addresses a long-standing privacy flaw over two decades. The issue stems from the CSS :visited selector—a visual tool websites use to show users which links they’ve already clicked. While helpful on the surface, it has allowed malicious websites to quietly track browsing history by checking if certain links appeared as visited. Because this information was historically shared across all sites, any webpage could test for previously visited URLs simply by embedding matching links and observing how they rendered. This design allowed third parties to infer a user’s online activity without consent or detection. Over the years, researchers have flagged the risk, but no browser has eliminated the flaw. Chrome 136 introduces a solution called “visited link partitioning,” which changes how visited links are recorded and displayed. Instead of maintaining a shared global list, Chrome now keeps track of visited links based on browsing context, which includes the site where the link was clicked and its frame origin. This means a link visited while on one site will no longer show up as visited on another, effectively cutting off the technique attackers used to probe user history. The update preserves normal behavior for links within the same website, so pages on internal networks or wiki-style platforms still function as expected. With this change, Chrome becomes the first major browser to close this gap fully, setting a new bar for privacy standards across the web. It’s a much-needed fix that strengthens user protection without sacrificing usability.
Google Patches Android Zero-Days Used in Cellebrite Exploit Chain
Google’s April 2025 Android security update addresses 62 vulnerabilities, including two high-severity zero-days confirmed to have been exploited in targeted attacks. One of them, CVE-2024-53197, is a privilege escalation flaw in the Linux kernel’s USB audio driver for ALSA devices. Serbian authorities reportedly used it to unlock confiscated Android phones through an exploit chain developed by the Israeli digital forensics firm Cellebrite. The same chain included two previously patched zero-days: CVE-2024-53104 in the USB Video Class driver and CVE-2024-50302 in the Human Interface Device (HID) component. Amnesty International's Security Lab uncovered the chain in mid-2024 while analyzing logs from phones seized during investigations into youth activists. The exploit path allowed full device compromise through physical USB connections, bypassing user interaction. In January, weeks before public disclosure, Google had shared fixes with OEM partners. The second zero-day, CVE-2024-53150, is an out-of-bounds read issue in the Android kernel’s USB subsystem that can leak sensitive data without user involvement. While it's also confirmed to have been exploited, there are no public details yet on how it was used or who the targets were. Both vulnerabilities were marked as exploited under “limited, targeted” use, signaling nation-state or law enforcement involvement. These two flaws were patched under the 2025-04-05 security level, including Google-developed and third-party component fixes. Pixel devices receive updates immediately, while other manufacturers may delay deployment due to testing and hardware compatibility checks. Combined with earlier patches for the related CVEs, this update effectively shuts down the full Cellebrite-linked exploit chain. The incident highlights the ongoing threat posed by physical device access and underscores the importance of regular patching, especially for those at risk of surveillance.
UAC-0226 Deploys GIFTEDCROOK Stealer via Phishing Campaigns Against Ukrainian Targets
CERT-UA has identified a new wave of cyber attacks attributed to threat cluster UAC-0226, targeting the Ukrainian military, law enforcement, and local government bodies near the eastern border. The attack leverages phishing emails containing macro-enabled Excel spreadsheets referencing sensitive topics like demining, property compensation, and UAV production to lure victims. Once opened and macros are enabled, the spreadsheet triggers the execution of a PowerShell script from the "PSSW100AVB" GitHub repository, enabling a reverse shell. Simultaneously, it deploys a newly identified information stealer called GIFTEDCROOK. Developed in C/C++, GIFTEDCROOK is designed to exfiltrate cookies, browsing history, and login credentials from Chrome, Edge, and Firefox browsers. These phishing emails are sent from compromised accounts, using legitimate webmail interfaces to increase credibility and deceive recipients. This campaign is part of a broader pattern of cyber-espionage operations in the region. In late 2024, a Russia-linked actor labeled UNC5837 launched another phishing campaign aimed at European government and military institutions, tracked as UAC-0215 by CERT-UA. That campaign used signed [.]RDP file attachments to initiate Remote Desktop Protocol connections, not for interactive access, but to map victim drives and deploy attacker-controlled apps via RemoteApps. Tools like PyRDP were used to automate the theft of files, clipboard content, and environment variables. In parallel, other threat actors have been observed using drive-by downloads to drop Legion Loader malware through fake CAPTCHA and Cloudflare Turnstile workflows. This loader installs a rogue Chromium browser extension under the pretense of a “Save to Google Drive” tool, which hijacks the browser, activates developer mode, and exfiltrates sensitive data. These overlapping campaigns show a coordinated effort to compromise high-value targets in Ukraine and Europe through layered, deceptive delivery techniques.
Update: Oracle Confirms Breach Following Prior Disclosure by Threat Actor Rose87168
Oracle Corporation has officially acknowledged a security breach that aligns with key details previously reported in our March 2025 analysis of the Oracle Cloud compromise attributed to threat actor Rose87168. At the time, CloudSEK’s XVigil platform had identified the breach and provided evidence of stolen data involving Oracle’s SSO and LDAP systems. Oracle had publicly denied those claims, insisting no data was compromised within its cloud infrastructure. However, in this latest update, Oracle has confirmed that attackers successfully exfiltrated usernames, passkeys, and encrypted passwords—specifically from legacy accounts—marking a significant shift in the company’s stance. The acknowledgment follows direct client notifications sent earlier this week, confirming credential theft and advising impacted organizations to update their login details. While Oracle has not disclosed the specific attack vector or vulnerability exploited, the confirmation validates the indicators of compromise and breach mechanics detailed in our earlier reporting, including the exposure of authentication data and federated identity elements through the login[.]us2[.]oraclecloud[.]com endpoint. This marks the second breach Oracle disclosed within a month, raising concerns about systemic vulnerabilities within its infrastructure. Although details remain limited, Oracle’s confirmation brings public validation to threat intelligence findings that were previously dismissed. The new information emphasizes that the compromised credentials relate to older accounts, but the risk persists, given that attackers could still use the data for unauthorized access, phishing campaigns, or lateral movement within enterprise environments. Oracle has stated it is actively investigating the breach and working with cybersecurity experts to mitigate its impact, yet clients continue to express frustration over the lack of transparency regarding the attack’s scope and underlying cause. The breach shows the need for credential rotation, MFA adoption, and decommissioning of stale account access. With Oracle now forced to confront the incident publicly, the spotlight remains on whether further disclosures or victim impact reports will emerge in the coming weeks.
