Google Archives - Page 33 of 34 - Appunti dalla rete

21 Tips for Using Google Search Console to Effectively Grow Your Website Traffic

Do you want to use Google Search Console to grow your website traffic?

Google Search Console is a powerful free tool created by Google to help website owners understand how Google sees their website. Unfortunately, most businesses don’t know how to effectively use the full power of Google Search Console to increase their website traffic.

In this article, we will show you how to properly use Google Search Console to improve your website SEO and get more visitors.

Using Google Search Console to grow your website

What is Google Search Console?

Google Search Console is a free tool offered by Google to help website owners monitor and maintain their site’s presence in Google search results.

It provides essential marketing data that you need to start tracking from day one. It also alerts you about errors, security issues, and indexing problems that may affect your website’s search rankings.

You can use all this information in your WordPress SEO strategy to increase your website traffic.

The sad part is that most businesses don’t utilize the full power of Google Search Console because most of them think that just adding their website to Google Search Console is enough.

There’s so much more that you can do with the tool.

If you’re not leveraging all of the powerful features that Google Search Console offers, then you’re missing out.

Luckily, we’re here to help. We have created this ultimate Google Search Console guide to help you grow your website like a Pro.

Note: Since this is a comprehensive guide, we have added a table of contents for easier navigation.

Setting up Google Search Console

Fixing Crawling Issues

Growing Your Website

Useful Google Search Console Tools

1. Adding Your Website to Google Search Console

If you haven’t already done so, then you need to go ahead and add your website to Google Search Console. It is really simple and will only take a few minutes.

Simply go to Google Search Console website and click on the Start Now button.

You’ll be asked to sign in using a Google / Gmail account. Once logged in, you will need to enter your website URL.

Google Search Console offers 2 methods for site verification, including domain name or URL prefix. We recommend using the URL Prefix method as it provides more flexibility.

Do remember that Google considers HTTP and HTTPS as two different protocols. It also considers https://www.example.com and https://example.com as two different websites.

You’ll need to make sure that you enter the correct URL of your website.

If you are unsure, then simply login to your WordPress admin area and go to Settings » General page. There you will see your website’s URL in the site address field.

After entering your website address, click on the ‘Continue’ button.

Next, you will be asked to verify ownership of your website. There are several ways to do that, but we will show the HTML tag method because it is the easiest one.

Click on the HTML tag to expand it and then copy the code inside it.

Next, you’ll need to add the code to your WordPress website so that Google can verify the ownership. However, this requires coding, which can be tricky for beginners.

An easier way of adding Google Search Console to WordPress is by using All in One SEO (AIOSEO). It’s the best SEO tool for WordPress and used by over 3 million users.

First, you’ll need to install and activate the AIOSEO Lite plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you can go to AIOSEO » General Settings page and then click the ‘Webmaster Tools’ tab. Next, select the ‘Google Search Console’ option under Webmaster Tools Verification.

After that, go ahead and enter the code you copied earlier from Google Search Console into the ‘Google Verification Code’ box.

Don’t forget to click on the ‘Save Changes’ button to store your changes.

You can now go back to Google Search Console settings and click on the ‘Verify’ button.

Google Search Console will now look for the HTML tag in your website code and show you a success message.

That’s all. You have successfully added your site to Google Search Console. You can now click on the ‘Go to Property’ link to visit your Google Search Console dashboard.

Note: if Google Search Console cannot verify your website after you have added the code in Insert Headers and Footer plugin, then you need to make sure to clear your WordPress cache and try again.

2. Adding an XML Sitemap

An XML sitemap is a way for website owners to tell search engines about all the pages that exist on their website. It also tells search engines which links on your website are more important than others.

Adding an XML sitemap to your website helps search engines better crawl your website. While it doesn’t give you a boost in search rankings, it can definitely help search engines index your content more efficiently.

The best part is that if you installed All in One SEO (AIOSEO) in the first step, then the plugin automatically adds an XML sitemap to your site.

To see the sitemap, you can head over to All in One SEO » Sitemaps and make sure that the toggle for ‘Enable Sitemap’ is switched on.

The plugin will automatically generate an XML sitemap for your website, and you can find it at the URL that looks like this:

http://example.com/sitemap_index.xml

Don’t forget to replace example.com with your own domain name. You can now submit this URL in Google Search Console.

Next, head over to the Google Search Console dashboard and then click on the ‘Sitemaps’ option from the left column. After that, you can paste the URL and click the ‘Submit’ button.

Google Search Console will now check your sitemap and use it to improve your website’s crawling. You can go through our guide on how to add a sitemap page in WordPress for more details.

3. Connect Google Search Console to Google Analytics

Connecting Google Search Console to your Google Analytics account helps you analyze search console data in Google Analytics. This provides you with a new perspective on your top-performing content and keywords.

If you haven’t already done so, then you will need to install Google Analytics on your WordPress website.

We recommend using MonsterInsights for that. It is the best Google Analytics plugin for WordPress, and it will automatically show your top keywords from Google Search Console in your WordPress admin area.

To connect Google Search Console to your Analytics account, you need to head over to Google Analytics dashboard for your website. From the bottom left corner of the screen, click on the ‘Admin’ button.

Google Analytics will now switch to the admin view. From here, you need to click on the ‘Property Settings’ section and then click on the ‘Adjust Search Console’ button.

On the next screen, you need to click on the Add button to select your website.

Analytics will now take you to the Google Search Console website showing you the list of all websites you have added to the search console. Select the property you want to link to Google Analytics from the dropdown menu.

After that, you’ll need to select the Google Analytics property you’d like to connect with Search Console and click the ‘Continue’ button.

You’ll now see a popup window showing that you’ve successfully connected Google Analytics and Search Console.

Confirm association between analytics and search console

That’s all. You have successfully connected your Google Search Console data to your Analytics account. You can go back to the Google Analytics Search Console settings page to see the connected Search Console and click the ‘Save’ button.

See search console and analytics connection

You can now view the newly unclocked Search Console reports in your Google Analytics account under Acquisition reports. It also helps unlock keywords not provided in Google Analytics.

The first report you will find there is the ‘landing pages’ report.

For each landing page, you’ll see the impressions (number of times a page appeared in search results), clicks, click-through rate (CTR), and average position in the search results. Combined with that page’s analytics parameters like bounce rate, sessions, and pages per session.

Clicking a landing page will show you the actual keywords that brought users to this landing page.

Next, you can Switch to the ‘Countries’ report, and you will see countries listed in the same order. This helps in creating content and geolocation marketing campaigns for people from different regions.

The devices report will show you how your site performed in desktop, mobile, and tablet search results.

Next, Queries are the most important of all reports among this data. It shows you the keyword data missing from your Google Analytics reports. You can see which search terms are driving traffic to your site.

4. Finding and Fixing Search Indexing Issues

The most helpful feature of Google Search Console is that you can troubleshoot indexing errors.

These errors can affect your search rankings by stopping the search engine from crawling and indexing the pages on your website.

You can easily locate these errors under the Coverage report.

It shows you which pages from your website are indexed by Google and which pages resulted in an error or a warning.

Next, scroll down, and you will see the detailed list of all the errors. Clicking on a link will open the detailed view, where you will also find the link to learn more about the error and how to fix it.

Following are a few common indexing errors you may see:

404 error – This error means that the crawler followed a URL and saw a 404 error.
Soft 404 error – This error occurs when the crawler sees a 404 error page, but the page’s status code is sending a 200 (success) message to the browser.
Server error – This means that your website server timed out or didn’t respond. This could happen if your website were under heavy traffic, was under maintenance, or unavailable for any other reason.
Not followed – This error occurs when Google is not able to follow a content type. This could be a flash, javascript, iframe, or other resources that the crawler cannot fetch.

Now let’s take a look at how to fix some of these crawl errors.

5. Fixing 404 Errors in Google Search Console

First, you need to keep in mind that not all 404 errors are equal. You can safely ignore some of them and only fix those that are actually an error.

For example, if you deleted a blog post and don’t want to redirect users to a newer post, then it is ok to let Google see a 404 error page. Google will eventually deindex that page if it keeps seeing the 404 error.

However, the reason Google wants you to look at those 404 errors is that you may not be aware of them. For example, you accidentally deleted something or forgot to redirect users to the new updated version.

Simply click on the error in the Index Coverage report, and it will show you all the pages displaying that error. Carefully review the pages and if you see a page that shouldn’t be there, then copy its URL and open it in a new browser window.

If you see a 404 error page in your browser, then this means that you need to fix this page.

Now, if it is a page that no longer exists but you have a newer or similar version of it, then you would want to redirect users to that page. See our guide on how to set up redirects in WordPress.

However, sometimes 404 errors may occur due to a misconfiguration in WordPress permalink structure. To fix this, simply visit Settings » Permalinks and then click on the ‘Save Changes’ button without changing anything.

6. Fixing Soft 404 Errors in Google Search Console

Soft 404 errors are a bit tricky to troubleshoot.

Basically, these errors occur when the Google bot sees what looks like a 404 error document instead of content. However, your server is sending a 200 (success) code. Normally, your server sends a 200 success code when a page is displayed without an error or redirect.

To resolve soft 404 errors, go ahead and click on the errors in the Coverage report to view the list of affected pages.

Now, you need to open the page in a new browser tab to see what’s happening. If the page displays correctly, then you can safely ignore the error.

On the other hand, if the page is showing a 404 error document, then you may want to investigate further.

Start by clicking the ‘Submitted URL seems to be a Soft 404’ link from the Coverage report. Next, you can open the link in a new tab to check if it’s not a false alarm.

If the page is valid and you want it to appear in the search results, then simply click the ‘VALIDATE FIX’ button. Google will then recrawl the page and change the status error.

If the WordPress search function causes the soft 404 errors you are seeing, then the easiest solution is to stop the Google bot from crawling search URLs.

To do that you need to add the following lines to your robots.txt file.

123	`User-agent: *Disallow: /?s=Disallow: /search/`

Usually, Google Bot doesn’t crawl search URLs. However, some spammers might try to spam Google search console reports by linking to search URLs with random strings. This way, they hope you will see their link in your Search Console report and click on it.

If the affected URLs are not searched queries, then you may want to redirect them to a proper page on your site.

7. Fixing Server Error in Google Search Console

Server Errors in Google Search Console are caused by a number of reasons. The most common of them is when your server times out during a crawl, throws an unexpected error or does not appear to be online.

Use the ‘URL inspection’ tool to make sure that the affected URL is working.

If it is working, then you can ignore the error. If you are on a reliable WordPress hosting provider, then most server errors would disappear automatically.

However, if you can confirm the error by visiting the URL, then there are several things you can do to fix it. See our list of most common WordPress errors guide to find a fix for the specific error message you are seeing.

8. Finding and Fixing Security Issues

Security issues not only stop Google from crawling your website, but they could also cause a sudden drop in search traffic. Google may temporarily remove affected pages, show a warning to users, and drop a page’s ranking.

Security issues will be highlighted on the overview screen as you login to your Google Search Console account. The most common security issue is websites affected by malware and trojans.

To fix this, see our guide on how to clean a hacked WordPress website for step by step instructions.

For more details, see our article on how How to fix a website after getting de-indexed by Google and ultimate WordPress security guide.

9. Finding Manual Actions and Requesting Review

While security issues are automatically triggered, manual actions are the penalties that are imposed by human staff from the Google Search team after a careful review. If a manual action is taken against your website, then this is pretty significant and can immediately take away all your search traffic.

These manual actions usually occur when a website is involved in illegal activities, spamming, and other fraudulent or fishy activities.

Clicking on the Manual Actions link will show you the actions in your search console report. You will also find detailed information about the issue that triggered it and how to clean it up.

Once you have removed the objectionable content, you can click on the request review button. Your website will now be reviewed and reconsidered by the Google Search team, and they can decide on removing the penalty.

10. Using Google Search Console To Grow Traffic

Now that we have covered the technical bits, let’s get to the fun part of growing your website traffic by utilizing the data available in Search Console.

Google Search Console helps you uncover keyword data, find out your top-performing keywords, and discover hundreds of potential keywords where you can easily rank and get more traffic.

We will also look at links and how to use them to improve search rankings.

Ready? Let’s get started.

11. Mining Keyword Data in Google Search Console

Keywords are the search terms users type in search engines to find information.

Marketers and website owners can optimize their content to target desired keywords and improve their chances of appearing on top in search results.

Previously, keyword data was available in website stats and analytics reports in Google Analytics. However, Google encrypted that information in 2013 when they switched to HTTPS.

As a result, if you try to view search queries in Google Analytics, you’ll most likely see ‘not provided’ keywords. A simple solution to this issue is connecting Google Analytics with Search Console.

You can also view the keyword data in your Google Search Console reports.

It gives you a full view of the keywords your website is ranking for, average position, clicks, and impressions (number of times your site appears for that keyword).

You can see this information in your Google Search Console reports under the ‘Performance’ tab.

On the top, you will see a graph of your website’s performance in search results. Below that, you will see the keywords data, which you can filter by position, impression, and click-through rate.

You can sort this data by clicking on any column or using the filter option to narrow down the results.

You can also switch to the Pages tab to see the performance of your pages in search results.

Clicking on any page in the list will filter the results for that page. You can then switch to the ‘Queries’ tab to see the keywords that bring the traffic to that particular page.

Now that we have covered how to browse and view this data, let’s see how actually to use this in your SEO and content planning.

12. Finding Low-hanging Keywords That You Can Easily Rank

A lot of your pages may be ranking on page 2 or 3 of Google search results for different keywords. These are the keywords that you can quickly work on to rank higher and get more traffic.

Let’s find out those keywords.

In your Performance report, click on the filter icon and then select the ‘Position’ option. Next, you’ll be looking for keywords where the average position is higher than 7.

Search Console will now only show the keywords where your site appears on an average position of 7 or higher. Now, click twice on the position column to sort the list in ascending order.

As you scroll down, you will find tons of keywords that rank between 7 and 30. All these keywords are low-hanging fruits where you can easily rank higher.

To view more results, scroll to the bottom and select a higher number for ‘Rows per page.’

When choosing the keywords to work on, you would want to choose keywords based on their number of impressions. Higher impressions mean more search traffic for those keywords.

To do that, you can export the data in CSV format and then open it in spreadsheet software.

Now that you have mined the low-hanging keywords with higher impressions, the question is how do you improve your rankings for those keywords?

Here are some tips to help you improve your rankings for those keywords.

1. Improve the content by adding more useful information

The #1 reason your page isn’t ranking for a keyword is that Google finds other content more valuable. To counter that, you need to review your article or blog post and add helpful content.

Look at the articles ranking on top five positions for that keyword and cover all the information that your article is missing in more detail.

We are not saying that you should just add more text to it. You need to make it more useful, informative, and comprehensive.

2. Evaluate On-page SEO

Use All in One SEO (AIOSEO) to improve the on-page SEO score for that article. It gives practical tips on improving a page by analyzing the content, keyword density, title, readability, links, and more.

You can also check out our guide on the SEO audit checklist to boost your rankings.

3. Increase time users spend on that page

Google considers it a success when users click on a search result and spend time viewing it. This means your content needs to be highly engaging and instantly provide users with the information they were looking for.

Here are some crazy simple things you can do to increase user engagement.

Use images – users find images much easier to look at than text. Adding more images makes it easier for users to scan the information and keeps them engaged.
Use videos – Videos are the most engaging form of content available. Adding video to a page significantly increases the time users spend viewing that page.
Make text more readable – Use smaller paragraphs, lots of white space, simpler sentences, and keep your style casual and conversational. All these things make reading easier for users.

For more tips, see this article on how to increase time users spend on your site.

13. Using Link Reports in Google Search Console

Links play an important role in WordPress SEO. Search engines use them as a metric to determine how important a page is and where it should rank in search results.

The Links report in Google Search helps you see your website’s performance in terms of links.

It shows you external links, internal links, top linking sites, and top linking text. More importantly, it shows top linking sites, how often they link to your site, and how many pages they link to.

Let’s see how you can use these reports to get more backlinks, improve internal links, and boost your rankings.

14. Getting More Backlinks from Third-Party Websites

Search console shows third-party websites that have linked to your site in the ‘Top linking sites’ report. You can expand the report by clicking on the ‘More’ link at the bottom.

If you click on a domain name to expand the report, you will see all the pages they have linked to. Next, click on each page to get the exact URL linked to that particular page.

You can now use this data to get more backlinks for your site. Simply visit the website and see how they have linked to you. After that, see what other content they have where your site can be linked from.

Next, simply reach out to the website via email or contact form on their website.

First, thank them for linking to your article and then politely mention that they may want to include a link to an article of yours.

Now, this direct approach may not always work. In that case, you need to be creative. You can offer them to write a guest post for their blog, leave comments on their articles, follow them on social media, or retweet their articles.

Repeat the process for all important external links on your website. With consistent effort, you can get proper backlinks without spending any money.

15. Improving Internal Links to Boost Rankings

It is harder to get third-party websites to link to your content. However, it is way easier to link to your own content from your own site. This practice is called internal linking.

Internal linking helps search engines understand the context and relationships among different pages on your website. It also helps them understand which pages are important based on how often you have linked to them.

This is why you should make internal linking a habit when writing new content on your website or blog.

Now let’s see how to use the links reports in Search Console to help you build internal links.

In Google Search Console, click on the Links report and then click on the ‘More’ link under the ‘Internal Links’ column. The report shows how often you have linked to other pages on your site.

Go ahead and click the filter icon and then select the ‘Target page’ option.

Search Console will now show you how many pages are linking to this page. You can now compare it with other pages and see whether pages with more internal links are ranking higher than posts with many internal links.

If that’s the case, then go ahead and start adding internal links to pages that you want to rank higher. Make sure you are only linking to the article when it makes sense. Adding links where they don’t make sense would create a bad user experience.

16. Using Core Web Vitals in Search Console

Did you know that Google now considers your website loading speed as a ranking factor?

In 2020, Google introduced Core Web Vitals that measures how fast your website is and help the search engine measure your site’s user experience.

In Google Search Console, you can view the ‘Core Web Vitals’ report under the Experience menu on your left. It provides a complete report about your site’s speed score for mobile and desktop.

The best part is that you also get recommendations on how to improve your Core Web Vitals score and improve your site’s load time.

For more information, please refer to our guide on how to boost WordPress speed and performance.

17. Create Rich Snippets for Your WordPress Pages

Rich snippets or schema markup allows Google to display additional information in its search results. These include star ratings, prices, reviews, and more.

Rich snippets make your page more noticeable in the search results. As a result, you get more clicks and website traffic.

Many WordPress themes automatically include some basic structured data. If you publish recipes, run a reviews site, or an online store, then rich snippets can give your site an SEO boost.

Google Search Console makes it very easy to find pages that are displaying rich snippets. It also shows the type of rich snippets for your website.

You can view them by going to ‘Overview’ and then scrolling down to the ‘Enhancements’ section.

The real useful part is that the report allows you to quickly look at pages that have errors while displaying rich snippets so that you can fix them.

If you want to learn more about setting up rich snippets, then please see our guide on how to add schema markup in WordPress and WooCommerce.

18. Using Search Console to Improve Mobile Usability

Nearly 63% of all Google searches in the United States come from mobile devices. That’s why Google gives an SEO bump to mobile-friendly websites in the search results.

Google has a Mobile-Friendly test tool that allows you to quickly examine a page. The Mobile Usability report in Search Console tells you how Google sees your entire website in mobile performance.

If you see errors on this page, then this means that these issues may affect your site’s rankings.

To see the affected pages, you can scroll down to the ‘Details’ section and click on the error.

Poorly coded WordPress themes or plugins cause most mobile usability issues. The easiest way to fix those issues is by using a better responsive WordPress theme.

19. Use URL Inspection Tool in Search Console

The URL Inspection tool in Google Search Console provides information about a page if it’s on Google search results or not.

You can check the status of a page and also request Google to recrawl a page. To start, simply enter a URL in the top search bar.

Google Search Console will then show you the status of the page is indexed by Google. If it’s not indexed, then you’ll see a message saying ‘URL is not on Google.’

You can click the ‘Requesting Indexing’ button and request Google to manually fetch the page from your website.

Besides that, you can scroll down and see more details in the ‘Coverage’ report. It will show information about sitemaps, crawl history, and indexing.

You can also live test a URL and see if there is an indexable version available. If there is, then simply click the ‘Request Indexing’ option.

20. Removing URLs from Google Search

So far, we have focused on using Search Console to get your content indexed and improve rankings in Google Search. However, sometimes you may want to remove content from Google Search as well.

One way to do this is to add a noindex meta tag to the page you want to remove from search results. However, depending on how often Google crawls your website, this could take some time before your page actually disappears from search results.

Search Console’s Remove URL tool allows you to request a URL to be removed from the search results. Simply click on ‘Removals’ under Index in the menu on your left.

Now click on the ‘New Request’ button, and a popup window will appear. Go ahead and enter the URL you want to remove, select whether you want to remove this URL only or with this prefix, and click the ‘Next’ button.

Google will now block the URL from its search results for about six months. You can add as many URLs as you want and see them in the Removals section in the Search Console.

21. Adding Users to Access Google Search Console

If you have a marketing team or you have hired someone to help you with SEO, then those users may need access to Google search console data.

Search Console allows you to easily add users and give them access to view all reports without sharing your Google account credentials with them.

To add a new user, simply click on the Settings » Users and permissions option under Property settings and then click on ‘Add User’ button.

Next, you need to provide the user’s valid Google account email address and select permission to grant them.

There are two types of permission levels. The full permission level will give them access to everything, including the ability to add new users. Restricted permissions will allow them to view the data but not add new users.

After choosing a permission level, click on the ‘Add’ button to save your changes.

The user you added will now receive an email notification, so they can login and view Google Search Console data for your website.

Helpful Resources

Following helpful resources on WPBeginner will help you further improve your website’s performance in search engines.

Ultimate WordPress SEO Guide – Our complete step by step WordPress SEO guide will walk you through complete WordPress SEO setup like a pro.
WordPress Performance Guide – Step by step guide to improve your WordPress speed and performance for higher search rankings and better user experience.
WordPress Security Guide – Keep your WordPress site secure with this complete WordPress security guide for beginners.
Tracking User Engagement – This guide helps you learn how to track user activity on your website and use it to plan your growth strategy.
Convert visitors into Customers – If you run an online store, then this guide will show you how to convert search traffic into paying customers.

We hope this article gave you some good tips on using Google Search Console more effectively to grow your site. You may also want to see our guide on the best managed WordPress hosting and how to move WordPress from HTTP to HTTPS.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Source :
https://www.wpbeginner.com/beginners-guide/google-search-console-ultimate-guide/

Android’s March 2022 security updates fix three critical bugs

Google has released the March 2022 security updates for Android 10, 11, and 12, addressing three critical severity flaws, one of which affects all devices running the latest version of the mobile OS.

Tracked as CVE-2021-39708, the flaw lies in the Android System component, and it’s an escalation of privilege problem requiring no user interaction or additional execution privileges.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” – mentions Google’s bulletin.

The other two critical flaws are CVE-2021-1942 and CVE-2021-35110, both affecting closed-source components on Qualcomm-based devices.

For a full list of which Qualcomm chipsets are affected by these two vulnerabilities, check out the chipmaker’s security bulletin.

No further technical details have been published for any of the fixed vulnerabilities, as doing so would put users running an older patch level at risk.

Other fixes that land with the March 2022 update are:

1 medium severity escalation of privilege flaw in Android runtime (version 12)
5 high severity escalation of privileges flaws in Android Framework (versions 10, 11, 12)
2 high severity denial of service flaws in Android Framework (version 12)
1 high severity information disclosure in Media Framework (versions 10, 11, 12)
8 high severity escalation of privilege flaws in System (versions 10, 11, 12)
1 high severity information disclosure flaw in System (versions 10, 11, 12)
4 high severity escalation of privilege flaws in Kernel
1 high severity information disclosure in Kernel
3 high severity flaws in MediaTek components
10 high severity flaws in Qualcomm components

As is the case every month, Google has released two patch levels for March 2022, one denoted as “2022-03-01” and one as “2022-03-05”.

The second patch level includes everything in the first set plus fixes for third-party closed source and Kernel components that may not apply to all devices.

As such, your device vendor may choose to push the first level to save on roll-out time, and it won’t necessarily mean that you are left vulnerable to exploitation.

With the only exception being Google’s Pixel line which receives these security updates immediately, all other vendors will need some time to bundle the patches for each of their models, as different hardware configurations require dedicated testing and fine-tuning.

If you are running anything older than Android 10, consider upgrading to a new and actively supported device or flashing your existing with a third-party Android ROM that’s based on a recent AOSP version.

Source :
https://www.bleepingcomputer.com/news/security/androids-march-2022-security-updates-fix-three-critical-bugs/

Urgent Update Released for Zero-Day Chrome & Edge Vulnerability

Updates for both Google Chrome and Microsoft Edge have been released which address the critical CVE-2022-1096 zero-day exploit. If you use either of these web browsers, you should install the update immediately.

What we know so far

The high severity vulnerability — referred to as CVE-2022-1096 — stems from a newly-discovered “type confusion” issue with V8, Google’s open-source JavaScript engine that powers both Google Chrome and Microsoft Edge. The vulnerability, which affects Windows, Mac, and Linux, could allow hackers to hijack people’s web browsers and embed malicious code.

Although it didn’t elaborate, in a short blog post addressing the issue, Google stated that a known exploit currently exists in the wild, although it is not clear how many people have already been affected or how damaging this exploit is.

The vulnerability also affects Microsoft’s Chromium-based web browser Edge in the same way.

What you need to do

You can stay protected from this vulnerability by ensuring your web browser is updated to the latest version. For Google Chrome, this is version 99.0.4844.84 and for Microsoft Edge, it is version 99.0.1150.55.

To check if you have the latest version installed, within one of the web browsers, click the three vertical dots in the top right-hand corner > Settings > About Chrome/About Microsoft Edge. If you don’t already have the latest version installed, you will be presented with the option to download and install it.

How to help the online community

Due to Google remaining tight-lipped about the severity of the known exploit, the level of harm it could cause to potential victims is as yet unclear. To limit the fallout, we all need to do our part in spreading the word — especially when considering how easy it is to install the latest update and guarantee protection. If you found this article helpful and you would like to see that others are protected, please consider sharing this post.

Source :
https://news.trendmicro.com/2022/03/30/urgent-update-chrome-edge-zero-day/

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild.

Tracked as CVE-2022-1096, the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022.

Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that’s incompatible to what was originally initialized, could have serious consequences in languages that are not memory safe like C and C++, enabling a malicious actor to perform out-of-bounds memory access.

“When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution,” MITRE’s Common Weakness Enumeration (CWE) explains.

The tech giant acknowledged it’s “aware that an exploit for CVE-2022-1096 exists in the wild,” but stopped short of sharing additional specifics so as to prevent further exploitation and until a majority of users are updated with a fix.

CVE-2022-1096 is the second zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being CVE-2022-0609, a use-after-free vulnerability in the Animation component that was patched on February 14, 2022.

Earlier this week, Google’s Threat Analysis Group (TAG) disclosed details of a twin campaign staged by North Korean nation-state groups that weaponized the flaw to strike U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries.

Google Chrome users are highly recommended to update to the latest version 99.0.4844.84 for Windows, Mac, and Linux to mitigate any potential threats. Users of Chromium-based browsers such as Microsoft Edge, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Source :
https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html

New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”

Interestingly, the technique has been abused in the wild at least once before. In February 2020, Zscaler disclosed details of a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive (CS: GO) websites.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” Zscaler researcher Prakhar Shrotriya said at the time.

“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”

While this method significantly makes it easier to mount effective social engineering campaigns, it’s worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.

Source :
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html

Google Buys Cybersecurity Firm Mandiant for $5.4 Billion

Google is officially buying threat intelligence and incident response company Mandiant in an all-cash deal approximately valued at $5.4 billion, the two technology firms announced Tuesday.

Mandiant is expected to be folded into Google Cloud upon the closure of the acquisition, which is slated to happen later this year, adding to the latter’s growing portfolio of security offerings such as BeyondCorp Enterprise, VirusTotal, Chronicle, and the Cybersecurity Action Team.

“Today, organizations are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative,” Google said in a statement.

“To address these risks, enterprises need to be able to detect and respond to adversaries quickly; analyze and automate threat intelligence to scale threat detection across organizations; orchestrate and automate remediation; validate their protection against known threats; and visualize their IT environment in order to identify and simulate new threats.”

Mandiant became a standalone entity again in June 2021 when FireEye, which acquired the company in 2013, sold its products business and the FireEye brand for $1.2 billion to a consortium led by private-equity firm Symphony Technology Group.

Symphony, which also acquired McAfee Enterprise for $4 billion in March 2021, combined the two businesses to launch Trellix earlier this year.

The cybersecurity firm is best known for uncovering and investigating the supply chain compromise of SolarWinds, a devastating cyber attack that affected thousands of its downstream customers and went unnoticed for months until its discovery in December 2020.

“The acquisition will complement Google Cloud’s existing strengths in security,” Mandiant said, stating the deal will “deliver an end-to-end security operations suite with even greater capabilities as well as advisory services helping customers address critical security challenges and stay protected at every stage of the security lifecycle.”

Source :
https://thehackernews.com/2022/03/google-buys-cybersecurity-firm-mandiant.html

Google Chrome to Help Users Identify Untrusted Extensions Before Installation

Google on Thursday said it’s rolling out new security features to Chrome browser aimed at detecting suspicious downloads and extensions via its Enhanced Safe Browsing feature, which it launched a year ago.

To this end, the search giant said it will now offer additional protections when users attempt to install a new extension from the Chrome Web Store, notifying if it can be considered “trusted.”

Currently, 75% of all add-ons on the platform are compliant, the company pointed out, adding “any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing.”

Enhanced Safe Browsing involves sharing real-time data with Google Safe Browsing to proactively safeguard users against dangerous sites. The company also noted that its integration with Safe Browsing’s blocklist API helped improve privacy and security, with the number of malicious extensions disabled by the browser jumping by 81%.

Also coming to Chrome is a new download protection feature that scans downloaded files for malware by using metadata about the downloaded file, alongside giving users the option to send the file to be scanned for a more in depth analysis.

“If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real time,” Google said. “After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning.”

Despite the file being labeled as potentially dangerous, users still have the option to open the file without scanning. Should users opt to scan the file, the company said the uploaded files are deleted from Safe Browsing a short time after scanning.

While it didn’t specify the exact timeframe for when this removal would happen, in accordance with Google Chrome Privacy Whitepaper, the company “logs the transferred data in its raw form and retains this data for up to 30 days” for all Safe Browsing requests, after which only anonymized statistics are retained.

The new features are available starting with Chrome 91, the version of the browser that was released on May 26. Users can turn on Enhanced Safe Browsing by visiting Settings > Privacy and security > Security > Enhanced protection.

Source :
https://thehackernews.com/2021/06/google-chrome-to-help-users-identify.html

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.

But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.

The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.

“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.

“In other words, the adversary created a clone of the U2F device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials.”

The whole list of products impacted by the flaw includes all versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40.

Besides the security keys, the attack can also be carried out on NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants.

The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful.

An actor will have first to steal the target’s login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.

“It is still safer to use your Google Titan Security Key or other impacted products as a FIDO U2F two-factor authentication token to sign in to applications rather than not using one,” the researchers said.

To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that’s used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller.

Once this is achieved, the researchers say it’s possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that’s performed when a U2F key is registered for the first time to work with a new account.

A side-channel attack typically works based on information gained from the implementation of a computer system, rather than exploiting a weakness in the software. Often, such attacks leverage timing information, power consumption, electromagnetic leaks, and acoustic signals as a source of data leakage.

By acquiring 6,000 such side-channel traces of the U2F authentication request commands over a six-hour period, the researchers said they were able to recover the ECDSA private key linked to a FIDO U2F account created for the experiment using an unsupervised machine learning model.

Although the security of a hardware security key isn’t diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.

“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” the researchers concluded. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”

Introducing Google Workspace

For more than a decade, we’ve been building products to help people transform the way they work.

Now, work itself is transforming in unprecedented ways. For many of us, work is no longer a physical place we go to, and interactions that used to take place in person are being rapidly digitized. Office workers no longer have impromptu discussions at the coffee machine or while walking to meetings together, and instead have turned their homes into workspaces. Frontline workers, from builders on a construction site to delivery specialists keeping critical supply chains moving, are turning to their phones to help get their jobs done. While doctors treating patients and local government agencies engaging with their communities are accelerating how they can use technology to deliver their services.

Amidst this transformation, time is more fragmented—split between work and personal responsibilities—and human connections are more difficult than ever to establish and maintain.

These are unique challenges, but they also represent a significant opportunity to help people succeed in this highly distributed and increasingly digitized world. With the right solution in place, people are able to collaborate more easily, spend time on what matters most, and foster human connections, no matter where they are.

That solution is Google Workspace: everything you need to get anything done, now in one place. Google Workspace includes all of the productivity apps you know and love—Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and many more. Whether you’re returning to the office, working from home, on the frontlines with your mobile device, or connecting with customers, Google Workspace is the best way to create, communicate, and collaborate.https://www.youtube.com/embed/bE31y5HbukA

With Google Workspace, we’re introducing three major developments:

a new, deeply integrated user experience that helps teams collaborate more effectively, frontline workers stay connected, and businesses power new digital customer experiences
a new brand identity that reflects our ambitious product vision and the way our products work together
new ways to get started with solutions tailored to the unique needs of our broad range of customers

New user experience

At Next OnAir in July, we announced a better home for work. One that thoughtfully brings together core tools for communication and collaboration—like chat, email, voice and video calling, and content management and collaboration—into a single, unified experience to ensure that employees have access to everything they need in one place. This integrated experience is now generally available to all paying customers of Google Workspace.

In the coming months we’ll also be bringing this new experience to consumers to help them do things like set up a neighborhood group, manage a family budget, or plan a celebration using integrated tools like Gmail, Chat, Meet, Docs, and Tasks.

We’ve already made it easier for business users to connect with customers and partners using guest access features in Chat and Drive, and in the coming weeks, you’ll be able to dynamically create and collaborate on a document with guests in a Chat room. This makes it easy to share content and directly work together with those outside your organization, and ensure that everyone has access and visibility to the same information.

When every minute you spend at work is a minute you could be helping your daughter with her homework, efficiency is everything. We’ve been working hard to add helpful features that make it easier to get your most important work done. For example, in Docs, Sheets, and Slides, you can now preview a linked file without having to open a new tab—which means less time spent moving between apps, and more time getting work done. And beginning today, when you @mention someone in your document, a smart chip will show contact details, including for those outside your organization, provide context and even suggest actions like adding that person to Contacts or reaching out via email, chat or video.

By connecting you to relevant content and people right in Docs, Sheets and Slides, Google Workspace helps you get more done from where you already are.

We also recognize that reinforcing human connections is even more important when people are working remotely and interacting with their customers digitally. It’s what keeps teams together and helps build trust and loyalty with your customers.

Back in July, we shared that we’re bringing Meet picture-in-picture to Gmail and Chat, so you can actually see and hear the people you’re working with, while you’re collaborating. In the coming months, we’ll be rolling out Meet picture-in-picture to Docs, Sheets, and Slides, too. This is especially powerful for customer interactions where you’re pitching a proposal or walking through a document. Where before, you could only see the file you were presenting, now you’ll get all those valuable nonverbal cues that come with actually seeing someone’s face.

And because we know many companies are implementing a mix of remote and in-person work environments, Meet supports a variety of devices with the best of Google AI built-in. From helpful and inclusive Series One hardware kits that provide immersive sound and effortlessly scalability, to native integrations with Chromecast and Nest Smart Displays that make your work experience more enjoyable—whether that’s at home or in the office.

New brand identity

10 years ago, when many of our products were first developed, they were created as individual apps that solved distinct challenges—like a better email with Gmail, or a new way for individuals to collaborate together with Docs. Over time, our products have become more integrated, so much so that the lines between our apps have started to disappear.

Our new Google Workspace brand reflects this more connected, helpful, and flexible experience, and our icons will reflect the same. In the coming weeks, you will see new four-color icons for Gmail, Drive, Calendar, Meet, and our collaborative content creation tools like Docs, Sheets, Slides that are part of the same family. They represent our commitment to building integrated communication and collaboration experiences for everyone, all with helpfulness from Google.https://www.youtube.com/embed/uZXa0N0-Zu0

We are also bringing Google Workspace to our education and nonprofit customers in the coming months. Education customers can continue to access our tools via G Suite for Education, which includes Classroom, Assignments, Gmail, Calendar, Drive, Docs, Sheets, Slides, and Meet. G Suite for Nonprofits will continue to be available to eligible organizations through the Google for Nonprofits program.

New ways to get started

Simplicity, helpfulness, flexibility—these guiding principles apply both to the way people experience our products and to the way we do business. All of our customers share a need for transformative solutions—whether to power remote work, support frontline workers, create immersive digital experiences for their own customers, or all of the above—but their storage, management, and security and compliance needs often vary greatly.

In order to provide more choice and help customers get the most out of Google Workspace, we are evolving our editions to provide more tailored offerings. Our new editions for smaller businesses are aimed at those often looking to make fast, self-serviced purchases. Our editions for larger enterprises are designed to help organizations that have more complex implementation needs and often require technical assistance over the course of a longer buying and deployment cycle.

You can learn more about these new offerings on our pricing page. And existing customers can read more here.

Empowering our customers and partners

You, our customers and our users, are our inspiration as we work together to navigate the change ahead. This is an incredibly challenging time, but we believe it’s also the beginning of a new approach to working together. One that is more productive, collaborative, and impactful.

Google Workspace embodies our vision for a future where work is more flexible, time is more precious, and enabling stronger human connections becomes even more important. It’s a vision we’ve been building toward for more than a decade, and one we’re excited to bring to life together with you.

Source :
https://cloud.google.com/blog/products/workspace/introducing-google-workspace

Google Pixel 4a is the first device to go through ioXt at launch

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

Source :
https://security.googleblog.com/2020/08/pixel-4a-is-first-device-to-go-through.html