Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said. "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl), which call the URL "rank.trellian[.]com" over plain HTTP Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh), which uses HTTP to call an uninstall URL at "browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com" when a user attempts to uninstall the extension MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl) and MSN Homepage, Bing Search & News (ID: midiombanaceofjhodpdibeppmnamfcj), which transmit a unique machine identifier and other details over HTTP to "g.ceipmsn[.]com" DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc), which constructs an HTTP-based URL request to "stats.itopupdate[.]com" along with information about the extension version, user's browser language, and usage "type" "Although credentials or passwords do not appear to be leaked, the fact that a password manager uses unencrypted requests for telemetry erodes trust in its overall security posture," Guo said. Symantec said it also identified another set of extensions with API keys, secrets, and tokens directly embedded in the JavaScript code, which an attacker could weaponize to craft malicious requests and carry out various malicious actions - Online Security & Privacy extension (ID: gomekmidlodglbbmalcneegieacbdmki), AVG Online Security (ID: nbmoafcmbajniiapeidgficgifbfmjfo), Speed Dial [FVD] - New Tab Page, 3D, Sync (ID: llaficoajjainaijghjlofdfmbjpebpa), and SellerSprite - Amazon Research Tool (ID: lnbmbgocenenhhhdojdielgnmeflbnfb), which expose a hard-coded Google Analytics 4 (GA4) API secret that an attacker could use to bombard the GA4 endpoint and corrupt metrics Equatio – Math Made Digital (ID: hjngolefdpdnooamgdldlkjgmdcmcjnc), which embeds a Microsoft Azure API key used for speech recognition that an attacker could use to inflate the developer's costs or exhaust their usage limits Awesome Screen Recorder & Screenshot (ID: nlipoenfbbikpbjkfpfillcgkoblgpmj) and Scrolling Screenshot Tool & Screen Capture (ID: mfpiaehgjbbfednooihadalhehabhcjo), which expose the developer's Amazon Web Services (AWS) access key used to upload screenshots to the developer's S3 bucket Microsoft Editor – Spelling & Grammar Checker (ID: gpaiobkfhnonedkhhfjpmhdalgeoebfa), which exposes a telemetry key named "StatsApiKey" to log user data for analytics Antidote Connector (ID: lmbopdiikkamfphhgcckcjhojnokgfeo), which incorporates a third-party library called InboxSDK that contains hard-coded credentials, including API keys. Watch2Gether (ID: cimpffimgeipdhnhjohpbehjkcdpjolg), which exposes a Tenor GIF search API key Trust Wallet (ID: egjidjbpglichdcondbcbdnbeeppgdph), which exposes an API key associated with the Ramp Network, a Web3 platform that offers wallet developers a way to let users buy or sell crypto directly from the app TravelArrow – Your Virtual Travel Agent (ID: coplmfnphahpcknbchcehdikbdieognn), which exposes a geolocation API key when making queries to "ip-api[.]com" Attackers who end up finding these keys could weaponize them to drive up API costs, host illegal content, send spoofed telemetry data, and mimic cryptocurrency transaction orders, some of which could see the developer's ban getting banned. Adding to the concern, Antidote Connector is just one of over 90 extensions that use InboxSDK, meaning the other extensions are susceptible to the same problem. The names of the other extensions were not disclosed by Symantec. "From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service," Guo said. "The solution: never store sensitive credentials on the client side." Developers are recommended to switch to HTTPS whenever they send or receive data, store credentials securely in a backend server using a credentials management service, and regularly rotate secrets to further minimize risk. The findings show how even popular extensions with hundreds of thousands of installations can suffer from trivial misconfigurations and security blunders like hard-coded credentials, leaving users' data at risk. "Users of these extensions should consider removing them until the developers address the insecure [HTTP] calls," the company said. "The risk is not just theoretical; unencrypted traffic is simple to capture, and the data can be used for profiling, phishing, or other targeted attacks." "The overarching lesson is that a large install base or a well-known brand does not necessarily ensure best practices around encryption. Extensions should be scrutinized for the protocols they use and the data they share, to ensure users' information remains truly safe." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

End-of-life data management, be it deletion of what is no longer required, or data removal from hardware before it’s decommissioned, may not get the attention that data loss through breaches generates, but it’s equally critical

The H2O Audio Tri Pro headset keeps the tunes going in the pool, and have a snug fit to stay in place while you swim.

Elevation's Tag Vault keychain and security cable will protect your AirTag from being easily removed from luggage, bags, and more.

Backup-as-a-service (BaaS) is a managed service where a third-party provider stores an organization’s data in the cloud. As opposed to an organization performing its own backups onsite — which can require significant infrastruc

I was lucky enough to get an early look and hands-on experience with Satechi’s new OntheGo line at CES this year, and I was immediately impressed. Satechi managed to bridge the gap between tech enthusiasts like myself, who appreciate cutting-edge features like Qi2 and MagSafe charging, and everyday users, thanks to their thoughtful material choices and versatile color palette. Here’s everything you need to know! Be sure to check out our video below on Satechi’s OnTheGo 3 in 1 charger! What you get & specs So in the box you get: The 3 in 1 charger itself 1M USB-C to C cable Nice little travel pouch In typical 2025 standards, you do not get a charging brick, and they recommend a 36W charging brick for optimal performance. It will work with other charging bricks but just won’t be optimal. Specs: Charges your iPhone via Qi2 at 15W Fast charges Apple Watch at 5W Headphone charges at 5W (can also place anything else that supports wireless charging. Hands-on review Satechi’s OntheGo 3-in-1 Charger hits the sweet spot for travelers and everyday users at the same time. It can charge your big three: your iPhone, Apple Watch, and AirPods. It also easily fits into every aspect of your life. The foldable design makes it super easy to pack away, but what stood out to me is how you can prop up your phone at different angles while charging. So, in theory, it supports Standby and night stand modes! Whether you’re checking notifications, watching a video, or hopping on a FaceTime call, it adds a layer of versatility that most travel chargers miss. The charger feels sturdy when folded into a stand mode, and the magnetic connection keeps your iPhone securely in place without any wobble. Combined with the premium vegan leather finish, lightweight build, and the new sand color, it is a new staple in my everyday carry. Pricing & availability The new 2 in-1 and 3-in-1 OnTheGo chargers are available today directly from Satechi. They come in three different colors: Black, Desert Rose, and Sand. The 2 in 1 is $79 and the 3 in 1 option is $99. I am happy they have two versions for the people who don’t have AirPods or an Apple Watch. Let me know what you think of these. Are these a charger you would use? Let’s discuss below! Add 9to5Mac to your Google News feed.  FTC: We use income earning auto affiliate links. More.You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Position Purpose:We are looking for a Cloud Engineer to support the deployment, automation, and monitoring of secure AWS infrastructure across healthcare and data analytics solutions. This role is responsible for ensuring resilient cloud environments using Infrastructure as Code (IaC) and CI/CD pipelines, while enabling teams to deliver cloud-native applications and services securely and efficiently. Take ownership of DevSecOps practices and grow into a lead infrastructure role supporting secure, large-scale AWS systems in federal health IT environments.Primary Duties & Responsibilities:·       Build and maintain cloud infrastructure using AWS services such as EC2, Lambda, RDS, S3, and VPCs.·       Use Infrastructure as Code (IaC) tools such as CloudFormation or AWS CDK to deploy and version cloud environments across DEV, VAL, and PROD.·       Implement and maintain CI/CD pipelines using GitHub Actions, Jenkins, or similar tools.·       Write automation scripts in Python, Bash, or other languages to support deployment, monitoring, and maintenance tasks.·       Monitor and log infrastructure health using CloudWatch, CloudTrail, and third-party tools like Splunk.·       Collaborate with developers, analysts, and project teams to ensure cloud infrastructure supports data pipelines, dashboards, and application services.·       Support system security by applying encryption, access controls, IAM policies, and monitoring best practices.·       Document infrastructure architecture, configurations, and deployment processes for ongoing maintenance and team reuse.·       Collaborate with senior engineers and architects to continuously improve security posture, automation efficiency, and system observability.Minimum Qualifications:·       Bachelor’s degree(or equivalent experience) in computer science, engineering, or related field.·       2+ years of experience in cloud engineering, DevOps, or infrastructure automation roles.·       Experience managing cloud infrastructure in AWS.·       Proficiency with IaC tools such as CloudFormation, CDK, or Terraform.·       Familiarity with Linux-based environments and scripting languages (e.g., Python, Bash).·       Experience with CI/CD pipelines and version control (GitHub preferred).·       Strong problem-solving, documentation, and collaboration skills.Preferred Qualifications:AWS certification (e.g., SysOps Administrator, Solutions Architect, or DevOps Engineer).Demonstrated interest in AWS architecture, security automation, and CI/CD workflows; openness to mentorship and growth into senior engineering responsibilities.Experience deploying secure AWS environments in compliance with HIPAA, FISMA, or CMS ARS standards.Familiarity with security monitoring tools such as CloudWatch, or Config.Experience supporting federal health IT environments (e.g., CMS, VA, state Medicaid).Familiarity with monitoring infrastructure supporting MicroStrategy, Python pipelines, or healthcare reporting systems.

White House Chief of Staff Susie Wiles uses a phone as she attends a National Day of Prayer event hosted by President Donald Trump in the Rose Garden at the White House, May 1, 2025 in Washington / Image credits - Andrew Harnik/Getty Images The personal phone of Susie Wiles, the U.S. President Donald Trump’s chief of staff, was allegedly hacked, with the individual responsible obtaining access to a bevy of contacts, including high-profile officials. According to the latest report, a federal probe has been launched, but there is no confirmation on how the phone was compromised in the first place. The contacts present in Susie Wiles’ phone grew suspicious after the impersonator asked to move the conversation to Telegram, risking the leaking of sensitive information Shortly after gaining access to the White House chief of staff’s personal phone, the hackers leveraged AI to impersonate Wiles’ likeness and sent multiple contacts voice and text messages from a different number. It was only after the person or persons on the other end recommended continuing the conversation to a private platform like Telegram that the contacts realized that something was off. FBI Director Kash Patel shared the following statement with CBS News regarding the incident. “The FBI takes all threats against the President, his staff, and our cybersecurity with the utmost seriousness; safeguarding our administration officials’ ability to securely communicate to accomplish the President's mission is a top priority.” As for how Wiles’ phone was compromised, TechCrunch asked White House spokesperson Anna Kelly if a cloud account associated with the chief of staff’s device was compromised, or if her handset was a part of a more sophisticated attack involving government-grade spyware. Unfortunately, the outlet did not receive a meaningful response, suggesting that the investigation is still ongoing. This is the second incident in which Wiles has been targeted by hackers, with the first instance transpiring in 2024, when it was reported that Iranian cyber-espionage experts attempted to obtain access to her personal email account. A separate report claims that these individuals were successful in bypassing the security as they obtained a dossier on Vice President JD Vance, who was Donald Trump’s running mate at the time. Going over a few images, we realized that the U.S. President’s chief of staff is currently in possession of an iPhone, which should cause even more concern because Apple prides itself on its robust security and privacy. News Source: The Wall Street Journal

Thanks to the legal discovery process, Google’s antitrust trial with the Department of Justice has provided a fascinating glimpse into the future of ChatGPT.An internal OpenAI strategy document titled “ChatGPT: H1 2025 Strategy” describes the company’s aspiration to build an “AI super assistant that deeply understands you and is your interface to the internet.” Although the document is heavily redacted in parts, it reveals that OpenAI aims for ChatGPT to soon develop into much more than a chatbot. “In the first half of next year, we’ll start evolving ChatGPT into a super-assistant: one that knows you, understands what you care about, and helps with any task that a smart, trustworthy, emotionally intelligent person with a computer could do,” reads the document from late 2024. “The timing is right. Models like 02 and 03 are finally smart enough to reliably perform agentic tasks, tools like computer use can boost ChatGPT’s ability to take action, and interaction paradigms like multimodality and generative UI allow both ChatGPT and users to express themselves in the best way for the task.”The document goes on to describe a “super assistant” as “an intelligent entity with T-shaped skills” for both widely applicable and niche tasks. “The broad part is all about making life easier: answering a question, finding a home, contacting a lawyer, joining a gym, planning vacations, buying gifts, managing calendars, keeping track of todos, sending emails.” It mentions coding as an early example of a more niche task.Even when reading around the redactions, it’s clear that OpenAI sees hardware as essential to its future, and that it wants people to think of ChatGPT as not just a tool, but a companion. This tracks with Sam Altman recently saying that young people are using ChatGPT like a “ life advisor.”“Today, ChatGPT is in our lives through existing form factors — our website, phone, and desktop apps,” another part of the strategy document reads. “But our vision for ChatGPT is to help you with all of your life, no matter where you are. At home, it should help answer questions, play music, and suggest recipes. On the go, it should help you get to places, find the best restaurants, or catch up with friends. At work, it should help you take meeting notes, or prepare for the big presentation. And on solo walks, it should help you reflect and wind down.” At the same time, OpenAI finds itself in a wobbly position. Its infrastructure isn’t able to handle ChatGPT’s rising usage, which explains Altman’s focus on building data centers. In a section of the document describing AI chatbot competition, the company writes that “we are leading here, but we can’t rest,” and that “growth and revenue won’t line up forever.” It acknowledges that there are “powerful incumbents who will leverage their distribution to advantage their own products,” and states that OpenAI will advocate for regulation that requires other platforms to allow people to set ChatGPT as the default assistant. (Coincidentally, Apple is rumored to soon let iOS users also select Google’s Gemini for Siri queries. Meta AI just hit one billion users as well, thanks mostly to its many hooks in Instagram, WhatsApp, and Facebook.) “We have what we need to win: one of the fastest-growing products of all time, a category-defining brand, a research lead (reasoning, multimodal), a compute lead, a world-class research team, and an increasing number of effective people with agency who are motivated to ship,” the OpenAI document states. “We don’t rely on ads, giving us flexibility on what to build. Our culture values speed, bold moves, and self-disruption. Maintaining these advantages is hard work but, if we do, they will last for a while.”ElsewhereApple chickens out: For the first time in a decade, Apple won’t have its execs participate in John Gruber’s annual post-WWDC live podcast. Gruber recently wrote the viral “something is rotten in the state of Cupertino” essay, which was widely discussed in Apple circles. Although he hasn’t publicly connected that critical piece to the company backing out of his podcast, it’s easy to see the throughline. It says a lot about the state of Apple when its leaders don’t even want to participate in what has historically been a friendly forum.Elon was high: As Elon Musk attempts to reframe the public’s view of him by doing interviews about SpaceX, The New York Times reports that last year, he was taking so much ketamine that it “was affecting his bladder.” He also reportedly “traveled with a daily medication box that held about 20 pills, including ones with the markings of the stimulant Adderall.” Both Musk and the White House have had multiple opportunities to directly refute this report, and they have not. Now, Musk is at least partially stepping away from DOGE along with key lieutenants like Steve Davis. DOGE may be a failure based on Musk’s own stated hopes for spending cuts, but his closeness to Trump has certainly helped rescue X from financial ruin and grown SpaceX’s business. Now, the more difficult work begins: saving Tesla. Overheard“The way we do ranking is sacrosanct to us.” - Google CEO Sundar Pichai on Decoder, explaining why the company’s search results won’t be changed for President Trump or anyone else. “Compared to previous technology changes, I’m a little bit more worried about the labor impact… Yes, people will adapt, but they may not adapt fast enough.” - Anthropic CEO Dario Amodei on CNN raising the alarm about the technology he is developing. “Meta is a very different company than it was nine years ago when they fired me.” - Anduril founder Palmer Luckey telling Ashlee Vance why he is linking up with Mark Zuckerberg to make headsets for the military. Personnel logThe flattening of Meta’s AI organization has taken effect, with VP Ahmad Al-Dahle no longer overseeing the entire group. Now, he co-leads “AGI Foundations” with Amir Frenkel, VP of engineering, while Connor Hayes runs all AI products. All three men now report to Meta CPO Chris Cox, who has diplomatically framed the changes as a way to “give each org more ownership.”Xbox co-founder J Allard is leading a new ‘breakthrough’ devices group at Amazon called ZeroOne. One of the devices will be smart home-related, according to job listings.C.J. Mahoney, a former Trump administration official, is being promoted to general counsel at Microsoft, which has also hired Lisa Monaco from the last Biden administration to lead global policy. Reed Hastings is joining the board of Anthropic “because I believe in their approach to AI development, and to help humanity progress.” (He’s joining Anthropic’s corporate board, not the supervising board of its public benefit trust that can hire and fire corporate directors.)Sebastian Barrios, previously SVP at Mercado Libre, is joining Roblox as SVP of engineering for several areas, including ads, game discovery, and the company’s virtual currency work.Fidji Simo’s replacement at Instacart will be chief business officer Chris Rogers, who will become the company’s next CEO on August 15th after she officially joins OpenAI.Link listMore to click on:If you haven’t already, don’t forget to subscribe to The Verge, which includes unlimited access to Command Line and all of our reporting.As always, I welcome your feedback, especially if you have thoughts on this issue or a story idea to share. You can respond here or ping me securely on Signal.Thanks for subscribing.See More: