In April 2021, Brendon Tiszka notified Google about a security vulnerability in its Chrome browser. This flaw enabled him to execute an exploit called a sandbox escape, which allows attackers to circumvent security measures. In recognition of his contribution, Google rewarded him with $27,000, marking the highest payout for discovering a browser bug that year as part of their program to incentivise those who identify weaknesses in their products.
For Tiszka, however, this was just another day at work since he is a professional bug hunter. Bug hunters form a worldwide community of hackers who engage in vulnerability reward programs set up by technology companies. The reasoning behind these programs is straightforward: while all software may contain bugs, the urgency to launch products often conflicts with the extensive time needed to eliminate every possible issue—if that’s even achievable.
Bug bounty initiatives allow companies to enlist top industry hackers to detect flaws so they can be fixed promptly. Google initiated its bug bounty program back in 2010 when such initiatives were rare, and it has since flourished; in 2021 alone, it awarded $8.7 million to 696 hunters. The company also maintains a leaderboard for participants, offers training for aspiring hunters at its university, and distributes merchandise to build community spirit among them.
Tiszka’s journey into bug hunting began in 2012 during his high school years in Missouri when he learned about a Google hacking contest where a teenager received $60,000 for spotting a potential vulnerability in Chrome. “I thought that was amazing and wanted to get involved,” Tiszka recalls, now at age 28 and residing in New York City. Motivated by this experience, he dedicated the next four years to studying computer science. After graduating from the University of Missouri in 2016 and securing employment at a major tech firm, he opted to use his spare time searching for critical bugs within Chrome. Within about a month of this pursuit, he discovered one and received $7,500 from Google as compensation—a significant achievement for him.
Since 2016, Brendon Tiszka has discovered 13 vulnerabilities in the Chrome browser, earning him approximately $200,000. While this income has been beneficial during his year-long career break for travel, his motivations extend beyond just financial gain. Many vulnerability researchers are driven by a passion for their craft, and receiving praise from peers for a well-executed vulnerability is incredibly rewarding. This summer, he received even more significant recognition when Google hired him as a Security Engineer on its Chrome Security Team—an advancement for top talent in the field.
According to Jen Langholz, the Chrome Browser Enterprise Lead, understanding a hacker’s mindset is crucial in preventing attacks. The work of Tiszka and other Chrome vulnerability hunters is increasingly vital as many browsers are built on Chromium’s open-source codebase and play an essential role in our daily lives. Once merely one of many applications we used regularly, browsers have now become central to our workdays and personal activities alike. With the rise of cloud-based productivity tools and rapid growth in e-commerce, our reliance on web browsers has intensified. They now store sensitive information such as passwords and credit card details, which has attracted the attention of cybercriminals.
As a result, browser security has never been more critical—not only does it involve finding and fixing vulnerabilities but also transforming browsers into proactive security instruments that can detect attacks in real-time, gather threat data, and ultimately thwart hacks before they occur. Consequently, browser technology has emerged as a dynamic area within cybersecurity innovation; developers are diligently working to ensure that it remains secure against current threats while also preparing for future challenges.
Currently, it is vital to address present challenges and prepare for future threats. The Browser: Cybersecurity’s Front Line reports that ransomware inflicted an estimated $20 billion loss on global businesses in 2021, according to Cybersecurity Ventures. These attacks are becoming more frequent; the UK government indicates that nearly one-third of companies experience cyberattacks at least weekly, with many incidents likely going unnoticed. Two main factors are driving this increase.
First, there is a continuous surge in the cybercrime sector, where organised criminal groups provide ransomware-as-a-service on a large scale. As cybersecurity measures improve across various domains, hackers are honing their skills to target specific vulnerabilities within systems, notes James Shires, Senior Research Fellow in Cyber Policy at Chatham House. Additionally, competition among cybercriminals leads to more excellent professionalism; they adapt their strategies to maintain their status as leading cybercriminal entities and often collaborate by agreeing not to attack each other’s targets. Furthermore, nation-states that either condone or support cybercrime aimed at adversaries contribute significantly to this escalating issue.
The efforts of Tiszka and his team of Chrome vulnerability investigators are becoming increasingly crucial. Many web browsers are developed using the open-source framework known as Chromium, which is based on Chrome’s code. As our reliance on browsers grows, they have transitioned from being just another application to a central part of our daily routines, especially in professional environments.
With more work being conducted online and e-commerce expanding rapidly, the web is becoming a fundamental aspect of our lives. To enhance user convenience, browsers now retain essential data like passwords, addresses, and credit card details. This has not gone unnoticed by cybercriminals.
Consequently, ensuring browser security has never been more critical. This involves not only identifying and fixing vulnerabilities but also transforming the browser into a proactive defence mechanism that can detect attacks in real time, collect threat data, and ultimately prevent breaches before they occur. Thus, the browser is emerging as a critical area for innovation in cybersecurity; developers are striving to make browser technology as secure as possible today while preparing it for future threats.
In 2021 alone, ransomware was estimated to inflict $20 billion in damages on global enterprises, according to Cybersecurity Ventures. Such attacks are becoming more common; reports from the UK government indicate that nearly one-third of businesses experience cyberattacks at least weekly—many go undetected. Two main factors are driving this escalation: firstly, the ongoing expansion of the cybercrime sector where organised groups provide ransomware services at scale; secondly, as cybersecurity measures improve across various domains, hackers are honing their skills to target specific vulnerabilities within systems more effectively.
The Browser: The Front Line of Cybersecurity
Two main factors are driving this trend forward. Firstly, the cybercrime industry is experiencing significant growth, with numerous organised criminal groups providing ransomware-as-a-service on a large scale.
As cybersecurity measures improve across various sectors, hackers are becoming more specialised in targeting specific vulnerabilities within systems. The second significant influence is the pandemic’s effect, which led to a rise in flexible work arrangements that many organisations have maintained even as conditions stabilise. This shift has resulted in an unprecedented amount of collaboration and productivity occurring in the cloud.
Consequently, for businesses today, the browser has become the crucial endpoint that requires careful management and protection.
In the past, companies could rely on employees using secure machines linked to protected corporate networks. However, with hybrid work models now prevalent, staff frequently access company resources from personal devices in diverse locations—such as their homes or cafes—exposing them to potentially unsafe networks.
The protective function of web browsers is increasingly crucial. For instance, phishing attacks accounted for nearly 90% of data breaches in 2020, as reported by Cisco. When users click on malicious links, they risk having their devices compromised or personal information stolen. Browsers are ideally positioned to identify these threats and issue alerts before any harm occurs.
Consequently, browsers are also enhancing their security measures since their widespread use makes them attractive targets for hackers. Cybercriminals may seek to exploit the technological processes involved in web browsing, looking for weaknesses not only in the browser’s core code but also in its supporting infrastructure. This includes extensions that provide additional features and the cache system that speeds up loading times; if these components lack adequate security, they can serve as gateways for attackers.
Given the potential risks involved, it might seem appealing to turn off all non-essential features of a browser. By turning off various usability options and activating more security-focused settings, users can fortify their browsers against exploitation and improve both security and privacy, according to Joseph Steinberg, a corporate cybersecurity consultant and expert witness in U.S. cybersecurity cases. In specific scenarios—like when an employee handles significant wire transfers within an accounts payable department—it may be prudent to provide a dedicated device that restricts internet access solely to authorised sites necessary for those transactions.
However, applying such stringent measures to an average work computer is impractical; it creates significant obstacles, and managers feel overly monitored or restricted in their activities.
How Browsers Are Responding
In June 2022, the Internet Engineering Taskforce updated the Hypertext Transfer Protocol (HTTP), which is essential for how browsers communicate with servers to retrieve web pages. Among various enhancements, this update specifically tackled security issues by introducing new standards that prioritise encryption as a default feature. This initiative reflects a broader trend within the tech industry focused on enhancing browser security.
There has been a noticeable rise in startups dedicated to developing browsers tailored for business environments. Meanwhile, leading browser companies are intensifying their security measures.
Popular browsers like Google Chrome, which is utilised by over 60% of global users, cater to both individual and corporate needs. For instance, Chrome offers specific enterprise features such as Chrome Browser Cloud Management, designed to aid IT managers in overseeing extensive networks that include both office and remote connections.
This functionality allows IT departments to monitor employees’ browser statuses, implement rules regarding plugins or site access, and even restrict access to vulnerable browsers to safeguard the organisation’s network. Such capabilities prove invaluable during real-time cyber threats; when upper management seeks assurance about potential impacts from an attack, determining what software employees are using can be quite challenging.
According to Philippe Rivard, Group Product Manager for Chrome Browser Enterprise, centralised reports available through an admin console detailing the versions of Chrome or extensions in use—and the ability to cross-reference this with information on newly identified vulnerabilities—provide significant support for IT teams during critical moments.
Browsers designed with security in mind typically implement several protective measures before users face potential threats. For instance, Chrome includes features like Enhanced Safe Browsing, which actively shields users from harmful downloads, websites, and extensions. According to Oliver Madden, a Chrome Browser Enterprise Specialist, the Safe Browsing technology integrated into Chrome currently safeguards 5 billion devices from unsafe sites.
The extensive data Google has gathered about the threat landscape enables it to leverage machine learning to detect possible dangers that it hasn’t yet encountered—essentially adopting a hacker’s perspective. Should attackers bypass these initial defences, browsers employ two primary tactics to mitigate the damage: sandboxing and site isolation.
Sandboxing restricts processes within the browser environment itself, while site isolation ensures that each website operates in its own separate sandboxed process. Madden notes that Chrome was the pioneer in implementing robust sandboxing techniques and later introduced site isolation as a response to significant threats like Spectre and Meltdown. The effectiveness of both sandboxing and site isolation lies in their ability to contain attacks within limited areas of the system. This approach makes it harder for malicious software to execute or persist after closing the browser or a specific tab.
It significantly reduces its chances of infiltrating the filesystem or accessing data from other sites. However, ensuring online security also hinges on user behaviour. Promoting good cybersecurity practices has been challenging since the internet’s inception.
Chrome seeks to provide educational opportunities when threats arise; for example, it alerts users if they use a corporate password on an unauthorised site, encouraging them to update their credentials accordingly. Lorena Crowley, Product Marketing Lead for Chrome Browser Enterprise, believes that most people want to protect their personal information as well as company data and are inclined toward making responsible choices online.
What Lies Ahead? It is often stated that innovations of today can lead to vulnerabilities tomorrow, and James Shires from Chatham House emphasises that this is not just a cliché. As we embrace features like voice-enabled browsing, AI assistance, smart autofill, and faster page loading, we must consider the vulnerabilities they may create.
These could be numerous. For instance, integrating personal voice data into browser storage or enhancing the role of opaque AI algorithms introduces new risks for cybercriminals.
Additionally, as we begin to utilise browsers in innovative settings such as virtual environments, the nature of scams may evolve; for example, a con artist in the metaverse could approach you as an avatar to persuade you rather than through traditional notifications or ads.
Professor Victoria Baines highlights that adapting security measures will necessitate collaboration within the security sector—leveraging existing tactics like AI threat detection and sandboxing as a basis for developing new methods to safeguard virtual interactions. Baines emphasises that the educational aspect is paramount. As we increasingly receive information directly in our line of sight, the necessity for individuals to apply their critical thinking skills will grow. As the saying goes online, remain alert.
Maxthon
Smartphones play a vital role in our everyday routines, making their protection more critical than ever. To start securing your device, the first action you need to take is to find the Maxthon Security app. Imagine browsing through your device’s app store, your fingers dancing across the screen as you enter Maxthon Security. With a simple tap on the download button, you initiate a process that will strengthen your phone’s defence.
As the installation wraps up, excitement builds within you. You launch the app with enthusiasm, prepared to bolster your smartphone’s security features. Upon opening it, a prompt appears asking you to create a strong password or PIN. This isn’t just any ordinary password; it should be an impenetrable combination of letters, numbers, and symbols designed to withstand potential threats. After selecting and confirming a secure option that satisfies you, you’re set to explore further protective measures for your device.
If your smartphone includes biometric features like fingerprint scanning or facial recognition, now is the perfect moment to utilise this advanced technology. Head into Maxthon Security’s settings and activate these features; they provide an extra layer of defence against unauthorised access. With these foundational steps completed, it’s time to enable real-time protection—a feature crafted for constant vigilance against new threats. Within the settings of Maxthon Security lies this powerful tool; turning it on means that your phone will continuously monitor for any signs of danger lurking in cyberspace. If anything suspicious occurs, you’ll receive immediate notifications—like having an ever-vigilant guardian by your side.
However, don’t become complacent! Regular updates are crucial to keeping Maxthon Security operating at its best against evolving cyber risks. In fact, consider activating automatic updates in your device settings so that you can effortlessly maintain optimal security without needing constant manual checks.