Google has released an update for its Chrome browser that includes 13 security fixes, four of which are classified as high severity. One of these was found in Chrome’s Digital Credentials feature–a tool that lets you share verified information from your digital wallet with websites so you can prove who you are across devices.

Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting the browser as updates usually fix exactly this kind of risk.

How to update Chrome

The latest version number is 143.0.7499.40/.41 for Windows and macOS, and 143.0.7499.40 for Linux. So, if your Chrome is on version 143.0.7499.40 or later, it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

One of the vulnerabilities was found in the Digital Credentials feature and is tracked as CVE-2025-13633. As usual Google is keeping the details sparse until most users have updated. The description says:

Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

That sounds complicated so let’s break it down.

Use after free (UAF) is a specific type of software vulnerability where a program attempts to access a memory location after it has been freed. That can lead to crashes or, in some cases, let an attackers run their own code.

The renderer process is the part of modern browsers like Chrome that turns HTML, CSS, and JavaScript into the visible webpage you see in a tab. It’s sandboxed for safety, separate from the browser’s main “browser process” that manages tabs, URLs, and network requests. So, for HTML pages, this is essentially the browser’s webpage display engine.

The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

A “remote attacker who had compromised the renderer” means the attacker would already need a foothold (for example, via a malicious browser extension) and then lure you to a site containing specially crafted HTML code.

So, my guess is that this vulnerability could be abused by a malicious extension to steal the information handled through Digital Credentials. The attacker could access information normally requiring a passkey, making it a tempting target for anyone trying to steal sensitive information.

Some of the fixes also apply to other Chromium browsers, so if you use Brave, Edge, or Opera, for example, you should keep an eye out for updates there too.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

A look at why identity security is failing in the age of deepfakes and AI-driven attacks, and how biometrics, MFA, PAD, and high-assurance verification must evolve to deliver true, phishing-resistant authentication.

The post How AI Threats Have Broken Strong Authentication  appeared first on Security Boulevard.

Platforms that developers use to format their input unintentionally share “thousands” of secrets, according to new research. Researchers from watchTowr captured a dataset of more than 80,000 saved pieces of JSON from code formatting tools JSONFormatter and CodeBeautify and parsed the dataset to discover “thousands of secrets” such as Active Directory and AWS credentials, authentication and API keys, and more. In typical watchTowr snark, the researchers noted, “it went exactly as badly as you might expect.”

Code Formatting Tools Create Shareable Links

In a post titled, “Stop Putting Your Passwords Into Random Websites,” the researchers noted that users of the code formatting tools can create “a semi-permanent, shareable link to whatever you just formatted.” “[I]t is fairly apparent that the word ‘SAVE’ and being given shareable link was not enough to help most users understand that, indeed yes, the content is saved and the URL is shareable - enabling anyone to recover your data when armed with the URL,” the researchers wrote. Those links follow common, intuitive formats, they said, and JSONformatter and CodeBeautify also have “Recent Links” pages that allow a random user to browse all saved content and associated links, along with the titles, descriptions, and dates. “This makes extraction trivial - because we can behave like a real user using legitimate functionality,” the researchers said. “For every provided link on a Recent Links page, we extracted the id value, and requested the contents from the /service/getDataFromID endpoint to transform it into the raw content we’re really after.”

Data Shared by Code Formatting Tools

Among the sensitive data found by the researchers were credentials for Docker Hub, JFrog, Grafana and Amazon RDS for a “Data-lake-as-a-service” provider. A cybersecurity company “had actually pasted a bunch of encrypted credentials for a very sensitive configuration file ... to this random website on the Internet.” A financial services company had uploaded sensitive “know your customer” (KYC) data. A consultancy leaked GitHub tokens, hardcoded credentials, and URLs pointed at delivery-related files on GitHub. In the process of uploading an entire configuration file for a tool, “a GitHub token was disclosed that, based on the configuration file, we infer (guess) had permissions to read/write to files and folders on the main consultancy organization’s account.” An MSSP employee uploaded an onboarding email “complete with Active Directory credentials ... they also included a second set: credentials for the MSSP’s largest, most heavily advertised client - a U.S. bank.” A ”major financial exchange” leaked production AWS credentials “directly associated with Splunk SOAR automation at a major international stock exchange.” “[W]e realised we’d found a Splunk SOAR playbook export,” the researchers said. “Embedded in that export were credentials to an S3 bucket containing detection logic and automation logs - essentially the brain powering parts of an incident-response pipeline. “This was not your average organization, but a truly tier-0 target in-scope of the most motivated and determined threat actors, who would absolutely capitalize on being able to leverage any ability to blind or damage security automation. We promptly disclosed them to the affected stock exchange for remediation.”

Researchers Set Up Test Credentials

To make sure that they weren’t the only ones accessing the data, watchTowr set up test credentials with a 24-hour expiry. “[I]f the credentials were used after the 24-hour expiry, it would indicate that someone had stored the upload from the ‘Recent Links’ page before expiry and used it after it had technically expired,” they said. Sure enough, someone started poking around the test datasets a day after the link had expired and the “saved” content was removed. watchTowr told The Cyber Express that if a user chooses to “save” their content, it remains accessible for the duration they configured. "And because most users never set a short — or any — expiry period, that data often sat exposed far longer than they realized," watchTowr said. "Once the configured window passed, the links did technically expire and should no longer have been reachable. But the core issue is that the vast majority of users left content saved indefinitely, creating long-tail exposure that attackers could easily abuse." The researchers concluded: “We’re not alone - someone else is already scraping these sources for credentials, and actively testing them.”

Akira ransomware is exploiting MFA push-spam, weak VPN security and identity gaps. Learn why these attacks succeed and the counter-playbook defenders must deploy now.

The post The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue  appeared first on Security Boulevard.

how JWTs secure AI agents and autonomous systems. Explore best practices for authenticating non-human identities using modern OAuth and token flows.

The post JWTs for AI Agents: Authenticating Non-Human Identities appeared first on Security Boulevard.

Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people’s credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening.

I feel like this kind of thing is happening everywhere, with everything. As we move more of our personal and professional lives online, we enable criminals to subvert the very systems we rely on.