Google this week released Chrome 86, adding a password checking feature to the browser’s iOS and Android versions, and warning desktop users of sites trying to trick them into visiting.
The Mountain View, Calif. company also paid out more than $76,000 in bounties to security researchers who reported some of the 35 vulnerabilities addressed in Chrome 86. One bug was marked “Critical,” Google’s most-serious threat level. (Critical vulnerabilities are rare in Chrome.) Seven others were tagged as “High,” the next threat level down. The critical flaw was reported by researcher Man Yue Mo of GitHub Security Lab.
Because Chrome updates in the background, most users can finish the refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. People new to Chrome can download version 86 for Windows, macOS and Linux directly. The Android and iOS browsers can be found in the Google Play and App Store e-marts, respectively.
Google updates Chrome about every six weeks; the previous upgrade was released Aug. 25.
Boost password security on mobile Chrome
Google implemented its Password Checker in desktop Chrome — the one for Windows, macOS and Linux — with version 79 at the end of 2019. Formerly an online service (that debuted in October 2019), Password Checker examined the username-password combinations stored in Chrome’s password manager and reported back the authentication pairings that have been exposed in publicly-known data breaches.
Google baked that functionality into desktop Chrome: The browser pops up a warning when a username + password combination has been exposed. Now, that same feature has been added to Chrome 86 for Android and iOS.
Along with the checker, Google has also beefed up other password aspects of Chrome on mobile, including biometric authentication on iOS, which can call on Face ID or Touch ID to auto-fill password fields with the appropriate characters. (Google introduced this feature to Chrome 84 on Android back in July.)
Google also promised that the next release, Chrome 87, would debut Safety Check — a security feature that first appeared in May on desktop Chrome 83 — on mobile. Safety Check detects compromised passwords, warns the user if an update is required, and more.
Avoid hinky sites
On desktop Chrome 86, Google’s added a new alert about sites that try to confuse and confound users by relying on URLs which “look very similar to those of other sites.” In its example, Google cited the URL goog0le.com (note the inserted zero) attempting to spoof the legitimate google.com.
With this feature, Chrome puts up a small window when Google believes the website is trying to pull one over on the user, if the URL is “slightly different from a URL in your browsing history,” or when the site has a history of bad behavior.
Like many features new to Chrome, this one may not yet be enabled in every user’s copy of the browser. (Traditionally, Google switches features on in stages to limit potential problems from crippling large segments of its user base.) To see this in action, users might have to enter chrome://flags in the address bar, search for the item #safety-tips, select “Enabled” from the field at the right, and then relaunch the browser.
The policy LookalikeWarningAllowlistDomains can be used by enterprise IT personnel to suppress these new warnings.
Chrome 86 also continued the multi-version implementation of a blockade imposed on downloads from insecure sources. The first download category — executable files in .exe format, for example — was barred in Chrome 85. For Chrome 86, the blocking extended to archive file types, such as .zip, with additional formats slated to be barred through Chrome 88.
Google will ship Chrome’s next upgrade, Chrome 87 on Nov. 17. Chrome 87 will be Google’s final 2020 browser release.