According to 9to5Google, citing a source familiar with the plan, Google will "soon" announce that it will be shutting down its Google Allo messaging app. "This development comes almost 8 months after Anil Sabharwal, Vice President of Chrome, Comms and Photos at Google, said that the company was 'pausing investment' in Google Allo," reports 9to5Google. It also comes less than a week after 9to5Google reported that Google will be shutting down Google Hangouts for consumers sometime in 2020. Google may delay the news about Allo due to the backlash stemming from the article about Hangouts. From the report: Lately, some of the app's remaining users have complained of bugs and broken functionality: there have been messages not being delivered, features like hearting posts randomly disappearing for some, and the latest stable version has been unable to perform Google Drive restores of chats for several weeks. Meanwhile, essentially the entire Allo team was moved to work on Android Messages and spent the last several months porting over much of Allo's features and functionality -- all leading up to the recent beginnings of evidence that the rollout of Google's RCS 'Chat' initiative is gaining traction.

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers. From a report: This is the first time an APT (Advanced Persistent Threat -- an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the Russian-linked Turla APT previously used a Firefox add-on in 2015. According to a report that's going to be published later today by the ASERT team at Netscout reveals the details of a spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.

Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.

Microsoft is throwing in the towel with Edge and is building a new web browser for Windows 10, this time powered by Chromium, news blog Windows Central reported Monday. From the report: Microsoft's Edge web browser has seen little success since its debut on Windows 10 back in 2015. Built from the ground up with a new rendering engine known as EdgeHTML, Microsoft Edge was designed to be fast, lightweight, and secure, but launched with a plethora of issues which resulted in users rejecting it early on. Edge has since struggled to gain any traction, thanks to its continued instability and lack of mindshare, from users and web developers.

Because of this, I'm told that Microsoft is throwing in the towel with EdgeHTML and is instead building a new web browser powered by Chromium, a rendering engine first popularized by Google's Chrome browser. Codenamed Anaheim, this new web browser for Windows 10 will replace Edge as the default browser on the platform. It's unknown at this time if Anaheim will use the Edge brand or a new brand, or if the user interface between Edge and Anaheim is different. One thing is for sure, however; EdgeHTML in Windows 10's default browser is dead.

Wave723 writes: What do a Silicon Valley massage spa, a local community college, and a Californian plastics manufacturer have in common? They will soon be testing hundreds of cutting-edge wireless devices, according to an application for an experimental permit filed last week with the U.S. Federal Communications Commission (FCC). If that sounds unlikely, it is. It seems much more likely that the new devices will actually be tested at three nearby Amazon facilities. These include two buildings belonging to the company's secretive Lab126 research division, and one of the retailer's largest fulfillment centers in the state.

On November 19, a company called Chrome Enterprises LLC sought permission to test up to 450 prototype devices using Citizens Broadband Radio Service (CBRS), a new technology that aims to deliver ultra-fast wireless broadband over shared radio frequencies. In particular, CBRS opens access to a radio frequency band (3.5 Gigahertz) that the FCC had previously set aside for military use, and makes it so that the military can share that band with anyone who buys a router or phone that supports the service, or has a cell phone plan with a carrier that has paid for a sliver of the band.

Google and Mozilla are heading a group that is devising a way for users to save changes they make using web apps. From a report: The idea is to allow users to save changes they've made using web apps, without the hassle of having to download new files after each edit, as is necessary today. "Today, if a user wants to edit a local file in a web app, the web app needs to ask the user to open the file," said Google developer advocate Pete LePage. "Then, after editing the file, the only way to save changes is by downloading the file to the Downloads folder, or having to replace the original file by navigating the directory structure to find the original folder and file. This user experience leaves a lot to be desired, and makes it hard to build web apps that access user files."

To this end, the W3C Web Incubator Community Group (WICG), which is chaired by representatives from Chrome developer Google and Firefox developer Mozilla, is working on developing the new Writable Files API, which would allow web apps running in the browser to open a file, edit it, and save the changes back to the same file. However, the group says the biggest challenge will be guarding against malicious sites seeking to abuse persistent access to files on a user's system. "By far the hardest part for this API is of course going to be the security model to use," warns the WICG's explainer page for the API. "The API provides a lot of scary power to websites that could be abused in many terrible ways."

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

CV Compiler is a new web app that uses machine learning to analyze and repair your technical resume, "allowing you to shine to recruiters at Google, Yahoo and Facebook," reports TechCrunch. "The app essentially checks your resume and tells you what to fix and where to submit it," reports TechCrunch. "It's been completely bootstrapped thus far and they're working on new and improved machine learning algorithms while maintaining a library of common CV fixes." From the report: "There are lots of online resume analysis tools, but these services are too generic, meaning they can be used by multiple professionals and the results are poor and very general. After the feedback is received, users are often forced to buy some extra services," said Andrew Stetsenko. "In contrast, the CV Compiler is designed exclusively for tech professionals. The online review technology scans for keywords from the world of programming and how they are used in the resume, relative to the best practices in the industry."

The product was born out of Stetsenko's work at GlossaryTech, a Chrome extension that helps users understand tech terms. He used a great deal of natural language processing and keyword taxonomy in that product and, in turn, moved some of that to his CV service. "We found that many job applications were being rejected without even an interview, because of the resumes. Apparently, 10 seconds is long enough for a recruiter to eliminate many candidates," he said.

Microsoft and Google engineers appear to be working on a Chrome browser running on Windows on ARM. "9to5Google has spotted various commits by Microsoft engineers assisting with the development of Chrome for Windows 10 on ARM," reports The Verge. "The details follow claims by a Qualcomm executive last month that the chip maker was working on an ARM version of Chrome for Windows 10." From the report: A native ARM version of Chrome would make a lot of sense for Qualcomm, Microsoft, and Google. Chrome is one of the most popular desktop apps available on Windows 10, and without a native version for ARM it's difficult to take ARM-powered Windows 10 devices seriously for many. However, it was only last year that Microsoft pulled Google's Chrome installer from the Windows Store, because it violated store policies. Those policies restrict rival browsers to using Microsoft's own Edge rendering engine, specifically that "products that browse the web must use the appropriate HTML and JavaScript engines provided by the Windows Platform." Microsoft also blocked similar browser apps for Windows 8.

Unless Microsoft relaxes its rules then this native Chrome support for Windows on ARM won't be found in the Windows Store. Microsoft and Google's work could still help improve performance for Electron-based apps like Slack and Visual Studio Code which rely on parts of Chromium.

An anonymous reader quotes ZDNet: Google will be launching a fund of $200,000 to sponsor the development and implementation of performance-related features in third-party JavaScript frameworks... Frameworks with original ideas to improve performance and those which ship "on by default" performance-boosting features will be favored in the funds allocation process. Nicole Sullivan, Chrome Product Manager, and Malte Ubl, Google Engineering Lead, have told ZDNet that the popularity, size, or the adoption of any participant framework will not count as a defining factor for being selected to receive funding. "The objective of this initiative is to help developers hit performance goals and hence serve their users with high-quality user experiences by default and ensure that this happens at scale," the two told ZDNet in an email...

"One key factor is also whether the respective feature can be turned on by default and thus have maximum impact rather than being only made available optionally," Sullivan and Ubl said.... "We want developers to be creative in approaching and solving the performance problem on the web but at a high-level we'll be looking at features that directly impact loading performance (e.g. use of feature policies, smart bundling, code-splitting, differential serving) and runtime performance (e.g. breaking tasks into smaller, schedulable chunks & keeping fps high)...."

But in addition to putting up funds to help frameworks improve their codebase, Google has also invited the development teams some of these frameworks to provide feedback in a more prominent role as part of the Google Chrome development process... "Frameworks sometimes make web apps slower. They are also our best hope to make it faster," a slide in Sullivan and Ubl's Chrome Dev Summit presentation read.
"It's still JavaScript," complains long-time Slashdot reader tepples. "The fastest script is the script that is not loaded at all."

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

Google has announced that it's absorbing DeepMind Health, a part of its London-based AI lab DeepMind. "In a blog post, DeepMind's founders said it was a 'major milestone' for the company that would help turn its Streams app -- which it developed to help the UK's National Health Service (NHS) -- into 'an AI-powered assistant for nurses and doctors' that combines 'the best algorithms with intuitive design,'" reports The Verge. "Currently, the Streams app is being piloted in the UK as a way to help health care practitioners manage patients." From the report: DeepMind says its Streams team will remain in London and that it's committed to carrying out ongoing work with the NHS. These include a number of ambitious research projects, such as using AI to spot eye disease in routine scans. The news is potentially controversial given the upset in the UK caused by one of DeepMind's early deals with the NHS. The country's data watchdogs ruled in 2017 that a partnership DeepMind struck with the NHS was illegal, as individuals hadn't been properly informed about how their medical data would be used.

Another consistent worry for privacy advocates in the UK has been the prospect of Google getting its hands on this sort of information. It's not clear what the absorption of the Streams team into Google means in that context, but we've reached out to DeepMind for clarification. According to a report from CNBC, the independent review board DeepMind set up to oversee its health work will likely be shut down as a result of the move. More broadly speaking, the news clearly signals Google's ambitions in health care and its desire to get the most of its acquisition of the London AI lab. There have reportedly been long-standing tensions between DeepMind and Google, with the latter wanting to commercialize the former's work. Compared to Google, DeepMind has positioned itself as a cerebral home for long-sighted research, attracting some of the world's best AI talent in the process.

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

Google is introducing a small but important update to its Chrome browser, one designed to prevent consumers from being swindled by underhanded or unclear mobile subscription services. From a report: Some web pages invite visitors to input their mobile phone number in order to subscribe to some kind of service, such as a mobile game, but it's not always clear how much they will be charged or even if that they are being charged at all. This is enabled by a service known as carrier billing, something that allows users to bypass more laborious subscription methods by having a fee charged directly to their mobile phone bill. [...] Starting from December 2018 with the launch of Chrome 71, Google's browser on mobile and desktop, as well as in Android WebView, will display a warning if it detects that there is insufficient mobile subscription information available to the user.

Exploit developers Yushi Laing and Alexander Kochkov have teased a zero-day exploit for Microsoft's Edge browser that can allow a malicious actor to run commands on a user's machine. "Laing teased the 'stable exploit' for the Microsoft-developed web browser last week with an image that appeared to show the Windows Calculator app launched from a web browser, after working on the project for just under a week," reports IT PRO. From the report: The researcher had initially been looking into three remote code execution bugs for Firefox as part of an 'exploit chain', but struggled to establish code for the third. He then found two similar flaws on Microsoft Edge using the Wadi Fuzzer app developed by SensePost. Laing told BleepingComputer the pair wanted to develop a stable exploit for Microsoft Edge and escape the sandbox, termed as an exploit that force-crashes and incorrectly reloads an app with manipulated permissions.

This would allow a user to run functions, and access other apps, beyond its normal permissions, as well as access data from other applications. They were also looking for a way to effectively seize control of a machine by escalating execution privileges to "system." They published a proof-of-concept for the Edge exploit in a short clip which shows the team using the browser to open the landing page for Google Chrome via Firefox.

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

Chris Hoffman, writing for How To Geek: You launch Edge on your new PC, search for "download Chrome," and click the first result headed to "google.com" on Bing. You're now on a phishing website pushing malware, disguised to look like the Chrome download page. That's the story Gabriel Landau tells on Twitter. We were able to reproduce this problem, although it doesn't happen every time. Usually, you'll end up seeing an ad for "https://www.google.com". That goes to the real Chrome download page, and everything is fine. But, sometimes, you'll see an ad for "google.com". Guess what -- that doesn't actually go to Google.com. This ad was created by a scammer and goes elsewhere. Microsoft is apparently not verifying the web address the advertisement actually goes to. Bing is letting this advertisement to lie to people. Microsoft says it has resolved the issue.

Google announced this week that it has signed an agreement with New Zealand's Ministry of Education to provide all state and state integrated schools in the country with Chrome Education licenses. The three-year agreement goes into effect on November 1 next month. From a report: "Starting on November 1, as part of an agreement with Google and the New Zealand Ministry of Education, all state and state-integrated schools across New Zealand will be able to start claiming Ministry-funded Chrome Education licenses to manage new and existing unmanaged Chromebooks. The Chrome Education license was developed to make device management in schools a breeze, so that teachers and students can focus on what's most important -- teaching and learning. Equipped with the Chrome Education license, schools can utilize essential education features to better support the many ways Chromebooks are used in the classroom," says Suan Ye, Head of Google for Education, Australia and New Zealand.

Android manufacturers will have to pay Google a surprisingly high cost in Europe in order to include Google's Play Store and other mobile apps on their devices, according to documents obtained by The Verge. From the report: A confidential fee schedule shows costs as high as $40 per device to install the "Google Mobile Services" suite of apps, which includes the Google Play Store. The new fees vary depending on country and device type, and it would apply to devices activated on or after February 1st, 2019. But phone manufacturers may not actually have to shoulder that cost: Google is also offering separate agreements to cover some or all of the licensing costs for companies that choose to install Chrome and Google search on their devices as well, according to a person familiar with the terms. Google declined to comment.

An anonymous reader quotes a report from Gizmodo: When you go into the privacy settings on your browser, there's a little option there to turn on the "Do Not Track" function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she's never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use "Do Not Track" to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We've got bad news for those millions of privacy-minded people, though: "Do Not Track" is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.

Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn't respect DNT, it does "provide multiple ways for people to control how we use their data for advertising." (That is of course only true so far as it goes, as there's some data about themselves users can't access.) From the department of irony, Google's Chrome browser offers users the ability to turn off tracking, but Google itself doesn't honor the request, a fact Google added to its support page some time in the last year. [...] "It is, in many respects, a failed experiment," said Jonathan Mayer, an assistant computer science professor at Princeton University. "There's a question of whether it's time to declare failure, move on, and withdraw the feature from web browsers." That's a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place. Only a handful of sites actually respect the request -- the most prominent of which are Pinterest and Medium (Pinterest won't use offsite data to target ads to a visitor who's elected not to be tracked, while Medium won't send their data to third parties.)

Krystalo quotes a report from VentureBeat: Google today launched Chrome 70 for Windows, Mac, and Linux. The release includes an option to disable linking Google site and Chrome sign-ins, Progressive Web Apps on Windows, the ability for users to restrict extensions' access to a custom list of sites, an AV1 decoder, and plenty more. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. An anonymous Slashdot reader adds: "The most anticipated addition to today's release is a new Chrome setting panel option that allows users to control how the browser behaves when they log into a Google account," reports ZDNet. "Google added this new setting after the company was accused last month of secretly logging users into their Chrome browser accounts whenever they logged into a Google website." Chrome 70 also comes with support for the AV1 video format, TLS 1.3 final, per-site Chrome extension permissions, TouchID and fingerprint sensor authentication, the Shape Detection API (gives Chrome the ability to detect and identify faces, barcodes, and text inside images or webcam feeds), and, last but not least, 23 security fixes.