Chrome Terminates Cookie Stealing Malware - Threat Wire
Audio Summary
AI Summary
We are seeing a rapid shift towards an age-restricted internet, as highlighted in this week's cybersecurity news. The "Age of Us" remains a prominent topic in technology. California passed a law in October 2025 requiring all operating systems within the state to collect user age information. Although set to take effect in early 2027, internal concerns have already surfaced due to ambiguities, particularly regarding multi-use computers. This law will impact operating systems and groups such as Linux, Mac, Windows, and Steam OS.
It's uncertain if related, but Apple has already initiated age verification in the UK. iOS 26.4 introduced age and identity checks for UK-based iOS users. According to an Apple support page, users in certain countries may need to confirm their age before downloading apps, changing settings, or performing other actions with their Apple account. These checks involve using a driver's license, ID, or credit card, but not a UK passport. However, a US passport can be used to create a digital ID in an Apple wallet for age confirmation. This has created difficulties for many in the UK who lack licenses or credit cards, making age verification impossible for them.
In other news concerning age restriction, France is progressing with social media age restrictions. The French Senate has approved a conditional system with two tiers for social media: one for content deemed harmful, requiring verification, and another accessible with parental consent. Greece is also moving towards a social media ban, with legislation expected to be voted on this summer. The sentiment is strong for age restrictions on certain social media sites, comparing the current situation to past societal oversights, such as allowing women to smoke during pregnancy.
Google Chrome has enhanced browser security by introducing hardware-based protections for session cookies in Chrome version 136, exclusively for Windows. This innovation, called "device-bound session credentials" (DBSC), cryptographically links user sessions to hardware. Announced in 2024, it leverages hardware-based security chips like the Trusted Platform Module in Windows and the Secure Enclave in Mac. These chips contain unique public and private keys for encrypting and decrypting sensitive data, which cannot be exported from the machine. DBSC prioritizes user privacy by backing each session with a distinct key, preventing websites from correlating user activity across different sessions or sites on the same device. The protocol is designed to be lean, avoiding the leakage of device identifiers or the addition of attestation data to the server beyond the per-session public key required for proof of possession. This minimal information exchange ensures DBSC secures sessions without enabling cross-site tracking or device fingerprinting.
Project Glasswing and Claude Mythos are significantly impacting the cybersecurity landscape. While cloud models have been effective at finding exploits, they have struggled with autonomous exploitation. Project Glasswing has achieved exponential success in autonomous exploit development. When attempting to exploit a known Firefox vulnerability, Glasswing successfully wrote working exploits in over 181 out of several hundred attempts, significantly outperforming Claude Opus 4.6, which succeeded only twice. Beyond bug finding, the Mythos model used in Project Glasswing has demonstrated high capability in reverse engineering.
In comparative testing against approximately a thousand open-source repositories from the OS-fuzz corpus, Sonnet 4.6 and Opus 4.6 achieved Tier 1 crashes (basic crashes) in 150-175 cases and Tier 2 crashes in about 100 instances, with only a single crash at Tier 3. In contrast, Mythos Preview achieved 595 crashes at Tiers 1 and 2, several at Tiers 3 and 4, and full control flow hijack (Tier 5) on 10 separate fully patched targets.
The Anthropic team did not explicitly train Mythos Preview for these capabilities; rather, they emerged as a downstream consequence of general improvements in code reasoning and autonomy. These same improvements that make the model effective at patching vulnerabilities also make it effective at exploiting them. For vulnerability discovery, the Anthropic research team used air-gapped containers of target projects. They provided Claude Code with Mythos models a brief prompt to find vulnerabilities, deploying multiple agents in parallel, each focusing on a different file to prevent overlap. A final agent then confirmed the findings. Bugs are triaged, and high-severity bugs are validated by human triagers before disclosure to maintainers. This process, however, is lengthy, meaning fewer than 1% of discovered potential vulnerabilities have been fully patched by maintainers, limiting what can be publicly discussed.
The Anthropic team considers Mythos too powerful for general public release and has no intention of doing so. Instead, they have partnered with core technology companies like Google, Nvidia, and Broadcom, as well as several open-source systems, to enable Mythos for building, defending, and maintaining critical software infrastructure.
Opinions on Mythos range from world-changing to overhyped. Marcus Hutchins, known for preventing WannaCry, suggests that the current efficiency of AI models for bug finding is subsidized by venture capital. He questions who will bear the cost when this funding dries up, arguing that bugs remain unpatched not due to a lack of discovery tools, but because there's insufficient economic incentive for people to find them in most software. This perspective draws a parallel to Uber's initial low prices due to VC money, questioning the sustainability of advanced models when computing costs become prohibitive.
In other news, GitHub Copilot was found inserting ads into pull requests, a decision reversed after community backlash and the discovery that the test ad partners had not opted in. arXiv has declared independence from Cornell due to high operating costs, seeking a new structure to fund its services. Threat actors have been exploiting an unreported zero-day vulnerability in Adobe Reader since December 2025, delivered via well-formed PDFs in social engineering attacks. The FBI retrieved deleted Signal messages using iOS notifications; the technical details remain unknown, but it likely involved reading cached notification messages or restoring iPhone backups.
The French government is moving towards technological independence from the US by transitioning government-wide from Windows to Linux-based operating systems. The specific Linux distribution is yet to be determined.