Search the Community

Google is preparing to release new research on the prevalence of ad injectors, the often-unwanted browser extensions that inject ads onto Web pages, and the numbers will show just how widespread and problematic the software is. Ad injectors belong to that great, amorphous pile of applications that aren’t necessarily classed as malware but exhibit behavior that is unwanted by users. They’re designed to push ads onto the pages that users visit and they typically come in the form of browser extensions. Users sometimes install them purposely, but often ad injectors come bundled with other applications and can be difficult to remove. Google has been adjusting the way that it handles deceptive and unwanted software and its Chrome browser will display a warning when a user is going to download an ad injector from the Chrome Web store. The company doesn’t ban all ad injectors across the board, but will remove deceptive apps from the Web store. Google said that it has received more than 100,000 complaints from Chrome users about ad injectors in just the past three months. In a few weeks, Google plans to release some joint research on ad injectors it did with the University of California at Berkeley. Some of the findings that came out of the research make it clear that ad injectors represent a fairly large-scale problem for users: Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test. More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed. Thirty-four percent of Chrome extensions injecting ads were classified as outright malware. Google’s Nav Jagpal said in a blog post that the research found nearly 200 deceptive extensions in the Chrome Web store, which have been disabled. Jagpal said Google plans to release the full results of the research on May 1. Source

Google is offering grants worth up to $3,000 to investigate suspected security flaws as a part of a new "experimental" initiative. Google security engineer Eduardo Vela Nava announced the move in a blog post, promising to offer further incentives for researchers to investigate suspected problems that they would otherwise ignore. "Today we're rolling out a new, experimental programme: Vulnerability Research Grants. These are upfront awards that we will provide to researchers before they ever submit a bug," he explained. "We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards. "We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70." Google also announced plans to expand its existing bug bounty programme to include flaws in mobile applications. "Also starting today, all mobile applications officially developed by Google on Google Play and iTunes will now be within the scope of the Vulnerability Reward Programme," read the post. Google has been a constant supporter of bug bounty schemes, and announced reforms to its programmes in 2014. Google tripled Chrome bug bounty payments to $15,000 in October prior to launching the Project Zero initiative. Project Zero was launched in July 2014 with the apparent intention of speeding up companies' patch release schedules. The team of researchers does this by initially disclosing flaws privately to the firms responsible and giving them 90 days to release a fix before making the research public. The project was criticised earlier this year for the public disclosure of bugs in Microsoft's Windows and Apple's Mac OS X operating systems. Nava credited the schemes as a success despite the controversy. He revealed that Google paid researchers more than $1.5m for discovering over 500 bugs last year. Source