Risky Bulletin: Researcher scores $250,000 for Chrome bug - Risky Bulletin

Summary6 min read

Risky Bulletin Summary: Researcher Scores $250,000 for Chrome Bug

Podcast Information:
Title: Risky Bulletin
Host/Author: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team...
Episode: Risky Bulletin: Researcher scores $250,000 for Chrome bug
Release Date: August 11, 2025

1. High-Value Bug Bounties: Google Rewards Security Researcher

In a significant win for cybersecurity researchers, Google has awarded a $250,000 bounty to a security researcher for discovering a novel sandbox escape vulnerability in Chrome. As Claire Airdrop highlights at [00:04], "Google has paid a bug hunter $250,000 for a novel sandbox escape in Chrome." This particular flaw was identified in April and promptly patched by Google the subsequent month. The vulnerability resided within Mojo, a critical Chrome component responsible for managing internal process communications. By exploiting this bug, attackers could impersonate the browser's privileged parent process, thus breaching the sandbox environment. Notably, this bounty stands as one of Google's largest, comparing to their 2022 reward of $605,000 for a single issue.

2. EU Legislation on Media Freedoms and Data Storage

The European Union has enacted the European Media Freedoms Act, aimed at restricting the use of spyware and surveillance against journalists. Introduced in 2022 and adopted in early 2024, Claire notes at [00:04], "Multiple press freedom organisations have said the legislation is ineffective as most EU governments have not begun implementing it at a national level." Additionally, the EU is set to impose a ban in September 2027 on large Russian corporations storing citizens' personal data in foreign cloud environments. This prohibition exempts small and medium-sized enterprises and individuals, reflecting a targeted approach to data security.

3. DeFi and Cryptocurrency Hacks: Credit Platform Disappears

The decentralized finance (DeFi) platform Credit has vanished from the internet following a significant hack last week. Claire details at [00:04], "The platform has deleted its social media accounts and taken down its website. Last Monday, the attacker took control of an admin wallet and stole almost $4.5 million worth of assets before it went offline." In response, Credit has pledged to reimburse its users, aiming to mitigate the impact of the breach despite the platform's sudden disappearance.

4. International Scam Operations and Law Enforcement Actions

Extradition of Ghanaian Nationals: Four individuals from Ghana have been extradited to the United States to face charges related to large-scale scam operations. According to Claire at [00:04], "They allegedly stole more than $100 million using romance and BEC scams," with potential penalties of up to 75 years in prison for each defendant.

Detention of Chinese Nationals in Thailand: Seventeen Chinese nationals operating a scam call center in Chiang Mai, Thailand, have been detained. As reported by Claire, "The call centre operated for three months from a rented house... targeting other Chinese speakers." The Bangkok Post added that all suspects attempted to flee, resulting in eight injuries from jumping out of the second floor.

Russia's First Criminal Dropper Investigation: In a pioneering move, Russian authorities have initiated the country's first criminal dropper investigation. Claire explains at [00:04], "A Moscow man was charged with paying money mules to open bank accounts that received stolen funds," highlighting the innovative approach in tracking and prosecuting financial crimes.

5. Advances in Cybersecurity Support and Competitions

FTC Reports Surge in Scams Against Elderly Americans: The Federal Trade Commission (FTC) revealed that retired and elderly Americans lost a staggering $700 million to scams in the past year, a dramatic increase from $120 million in 2022. Claire underscores, "Many of the scammers impersonate the FTC," preying on vulnerable individuals seeking to protect their funds.

DEFCON Franklin Team Volunteers to Protect Municipal Water Systems: A group of white hat hackers, known as the DEFCON Franklin team, is offering free cybersecurity support to small U.S. municipalities. Claire mentions, "The group has already deployed volunteers across four US States as part of a pilot program," providing essential services such as network mapping and OT assessments.

DARPA's AI Cyber Challenge Victory: Team Atlanta triumphed in DARPA's AI Cyber Challenge, a two-year competition culminating at the DEFCON Security Conference. Claire states, "The winning team is comprised of experts from Georgia Tech, Samsung, Pohang University, and the Korea Advanced Institute of Science and Technology," earning a $4 million prize. Security firm Trailer Bits and Theory secured second and third places with rewards of $3 million and $1.5 million, respectively.

6. Vulnerability Discoveries and Patch Releases

Microsoft's Internal Systems Breached: Security researcher Vaisha Bernard exploited an OAuth misconfiguration in Entra ID, gaining unauthorized access to over 20 Microsoft internal services, including those managing Copilot, Bing, Azure, APIs, and billing systems. Claire reports at [00:04], "He even gained access to a system that could approve his own bounty payments. Despite this, Bernard was not paid a reward," raising questions about Microsoft's vulnerability handling and bounty policies.

Tetra Communications Protocol Exploited Again: The Terrestrial Trunked Radio (TETRA) communications protocol, essential for law enforcement and military operations, has been compromised for the second time. Security firm Midnight Blue identified new vulnerabilities in Tetra's updated end-to-end encryption, which was initially designed to fix prior issues. Claire elaborates, "The latest findings include a scenario where the protocol intentionally weakens its encryption key, allowing for traffic decryption."

WinRAR Patches Zero-Day Vulnerability: WinRAR has addressed an actively exploited zero-day vulnerability involving path traversal, which allowed attackers to write files outside designated directories. Security firm ESET discovered and reported this flaw. Additionally, Russian security firm BizOne has connected the attacks to the Werewolf APT group, also known as GoFi.

7. Ransomware and Malware Threats

Embargo Ransomware Gang's Financial Impact: The Embargo ransomware group has amassed over $34 million since April, primarily targeting U.S. victims according to blockchain intelligence firm TRM Labs. Claire notes, "The group is believed to be a rebrand of the Alf V operation that was shuttered by authorities last year," indicating a continuity of malicious activities under a new guise.

Malicious Packages in RubyGems Repository: A threat actor has uploaded more than 60 malicious packages to the RubyGems repository, masquerading as automation utilities while stealing login credentials for social media and marketing tools. Claire underscores the severity, "Their campaign's been running for more than two years," with over 275,000 downloads as reported by Socket Security.

8. Social Media Security Features and Privacy

Instagram's New Location-Sharing Feature: Instagram has reintroduced a location-sharing feature, enabling users to display precise locations on a map with their posts. Claire explains at [00:04], "The feature was released last week and is turned off by default." This move echoes a similar feature from a decade ago, which was discontinued due to issues related to harassment and stalking, raising concerns about user privacy and safety.

9. Legal Actions in Software Lifecycle Management

Lawsuit Against Microsoft Over Windows 10 Discontinuation: A California man, Lawrence Klein, is suing Microsoft in response to the planned discontinuation of Windows 10 later this year. As Claire states, "Klein claims the Windows 10 end of life is part of Microsoft's plan to monopolize the generative AI market," accusing the tech giant of employing forced obsolescence to compel users to transition to Windows 11, which comes pre-installed with Microsoft's generative AI tools.

This episode of Risky Bulletin, prepared by Catalyn Kimparnu and narrated by Claire Airdrop, provides a comprehensive overview of recent cybersecurity developments, from high-stakes bug bounties and legislative changes to significant hacks and innovative defensive measures. Whether you're a seasoned professional or someone interested in the latest in cybersecurity, this bulletin offers valuable insights into the ever-evolving landscape of digital security.

Loading summary

Transcript1 lines

[00:04]
Claire Airdrop
A security researcher scores $250,000 for a Chrome bug, WinRAR patches another zero day new vulnerabilities found in the Tetra communications protocol, and a researcher gains access to Microsoft's internal network for fun and no profit. This is the Risky bulletin prepared by Catalyn Kimparnu and read by me, Claire airdrop. Today is the 11th of August and this podcast episode is brought to you by Yubico, the inventor of the Yubikey. Google has paid a bug hunter $250,000 for a novel sandbox escape in Chrome. The flaw was reported in April and it was patched the following month. The vulnerability was in Mojo, a Chrome component for managing how the browser's internal processes communicate. The bug allowed attackers to impersonate the browser's privileged parent process and from there escape the sandbo. The bounty is one of Google's largest to date. In 2022 it paid $605,000 in a single reward. An EU law restricting the use of spyware and surveillance against journalists has come into effect. The European Media Freedoms act was introduced in 2022 and adopted in early 2024. Multiple press freedom organisations have said the legislation is ineffective as most EU governments have not begun implementing it at a national level. Large Russian corporations will be prohibited from storing the personal data of citizens in foreign cloud environments. The ban is expected to come into effect in September 2027. It will not apply to small and medium sized companies or individuals. The credit's DeFi platform has disappeared from the Internet following a hack last week. The platform has deleted its social media accounts and taken down its website. Last Monday, the attacker took control of an admin wallet and stole almost $4.5 million worth of assets before it went offline. Credits promised to reimburse users Four nationals of Ghana have been extradited to the US to face charges over their roles in a scam operation. The four allegedly stole more than $100 million using romance and BEC scams. If found guilty, they each face up to 75 years in prison. 18 Chinese nationals accused of operating a scam call centre in Thailand have been detained. The call centre operated for three months from a rented house in the city of Chiang Mai. It targeted other Chinese speakers. According to the Bangkok Post. The suspects all attempted to flee. Eight were injured after jumping from the second floor of the house. Russian authorities have opened the country's first criminal dropper investigation. The term dropper refers to an individual who manages money mules. A Moscow man was charged last with paying mules to open bank accounts that received stolen funds. Russian police tracked down the suspect after a mule took advantage of a law offering immunity for cooperating with authorities. Retired and elderly Americans lost $700 million to scams last year, according to the Federal Trade Commission. Its statistics showed a dramatic increase since 2022, when the figure was 120 million, the report said. Many of the scammers impersonate the FTC and target older Americans wanting to protect their funds. A group of white hat hackers has volunteered to help protect the water systems of small US Municipalities. The DEFCON Franklin team will offer no cost support on network mapping, password protocols and OT assessments. The group's already deployed volunteers across four US States as part of a pilot program. Team Atlanta has won DARPA's AI competition. The AI Cyber Challenge took place over two years. The final was held at the DEFCON Security Conference over the weekend. The winning team is comprised of experts from Georgia Tech, Samsung, Pohang University and the Korea Advanced Institute of Science and Technology. Security firm Trailer Bits and Theory finished second and third. The top three teams will receive $4 million, $3 million and $1.5 million, respectively. A security researcher has gained access to more than 20 Microsoft internal services isecurity's Vaisha Bernard to systems that managed Copilot, Bing, Azure, APIs and Microsoft billing. Bernard says he exploited an Entra ID OAuth misconfiguration that was shared by many Microsoft systems. He even gained access to a system that could approve his own bounty payments. Despite this, Bernard was not paid a reward. Security researchers have broken the Terrestrial Trunked Radio Communications Protocol for the second time. Also known as tetra, the protocol is widely used by law enforcement, military and critical infrastructure operators. Security firm Midnight Blue first cracked Tetra in 2023. It found new vulnerabilities in the protocol's updated end to end encryption. The updated version was intended to address the previously discovered vulnerabilities. Midnight Blue's latest findings include a scenario where the protocol intentionally weakens its encryption key, allowing for traffic decryption. The Winrar file archiver has patched an actively exploited zero day. The path traversal vulnerability allows attackers write files outside the intended location. Security firm ESET discovered and reported the zero day. Russian security firm Bizone appears to have linked the attacks to the paper. Werewolf APT group, also known as GoFi. The Embargo ransomware gang has collected more than $34 million since last April. Blockchain intelligence firm TRM Labs said most victims were located in the US the group is believed to be a rebrand of the Alf V operation that was shuttered by authorities last year. A threat actor has uploaded more than 60 malicious packages to the RubyGems repository. The libraries posed as automation utilities but stole login credentials for social media and marketing tools. Their campaign's been running for more than two years. According to Socket Security, the packages have been downloaded more than 275,000 times. Instagram has released a new feature allowing users to share their location. The Instagram map feature was released last week and is turned off by default. When turned on, posts are shown on a map with precise locations. Instagram had a similar feature about a decade ago. It was discontinued after complaints about harassment and stalking. And finally, a California man is suing Microsoft over the discontinuation of Windows 10 later this year. Lawrence Klein claims the Windows 10 end of life is part of Microsoft's plan to monopolize the generative AI market. Klein says Microsoft is using forced obsolescence to make users switch to Windows 11, which comes pre installed with the company's gen AI tools. And that's all for this podcast edition. Today's show was brought to you by our sponsor, Yubico. Find them@yubico.com thanks for your company.

Risky Bulletin Summary: Researcher Scores $250,000 for Chrome Bug