Today’s Topics:

• Chrome 136 Patches 20-Year Privacy Loophole Linked to Visited Link Styling
• Tycoon2FA Phishing Kit Evolves With Advanced MFA Bypass and Evasion Tactics
• How can Netizen help?

Chrome 136 Patches 20-Year Privacy Loophole Linked to Visited Link Styling

Google has resolved a long-standing web privacy flaw in Chrome that allowed websites to detect a user’s browsing history by exploiting the browser’s styling of visited links. The fix, which lands in Chrome version 136, closes a gap that’s existed for over two decades and has been used in multiple real-world tracking techniques.

Web browsers traditionally allow websites to visually distinguish between visited and unvisited links by applying different styles using the CSS :visited selector. A visited link often appears in purple instead of blue, which serves as a helpful user interface cue.

However, this visual feedback creates an opportunity for malicious sites to check if certain links have been visited by measuring how they render. This side channel can be abused to reconstruct parts of a user’s browsing history.

Even though browsers like Chrome blocked access to certain styling properties to mitigate this, researchers still demonstrated successful privacy attacks using techniques such as:

• Timing-based inference
• Pixel inspection
• User interaction tracking
• Process-level attacks

These tactics made it possible to confirm whether a visitor had previously accessed certain URLs — across different sites — without any user interaction.

Starting in Chrome 136, visited links are no longer treated globally. Instead, Chrome applies triple-key partitioning to store visited status using:

1. The destination URL (the actual link)
2. The top-level site (domain in the address bar)
3. The frame origin (the frame or iframe where the link is displayed)

With this change, a visited link will only appear as visited if it was clicked on the same site and within the same frame origin. This eliminates cross-site leakage while preserving the feature’s utility for single-site navigation.

To maintain usability, Chrome includes a self-link exception. If a user visits a link on a given site, that link will still show as visited when viewed on that same site, even if it was originally clicked from a different domain. Since the site already knows which of its pages were visited, this doesn’t introduce new privacy risks.

Google considered alternatives, including:

• Deprecating :visited entirely: ruled out due to its UX value
• Permissions models: considered too easy to exploit or mislead users

Instead, partitioning provided the best balance of security and usability.

This fix was introduced as an experimental flag in Chrome 132 and will be enabled by default in Chrome 136. Until then, users can manually activate it via the following flag:

pgsqlCopychrome://flags/#partition-visited-link-database-with-self-links

After setting the flag to “Enabled”, restart Chrome to apply the change. Note that this experimental version may still show unstable behavior in some contexts.

As of now, other major browsers like Firefox and Safari have only partially mitigated the :visited link leakage issue. Chrome 136 sets a new benchmark in addressing this subtle but impactful privacy concern.

Tycoon2FA Phishing Kit Evolves With Advanced MFA Bypass and Evasion Tactics

The Tycoon2FA phishing kit—known for its ability to bypass multi-factor authentication (MFA) for Microsoft 365 and Gmail accounts—has received major updates that improve its stealth, obfuscation, and evasive capabilities.

Originally identified by Sekoia in late 2023, the Tycoon2FA phishing-as-a-service (PhaaS) platform continues to evolve, with the latest findings from Trustwave detailing how its updated toolkit now evades detection more effectively and targets victims with increased precision.

Key Technical Enhancements

1. Unicode Obfuscation in JavaScript Tycoon2FA operators are now using invisible Unicode characters to embed binary data inside JavaScript payloads. This data is then decoded and executed at runtime, making static pattern detection and manual code inspection significantly more difficult. First reported by Juniper Threat Labs, this technique helps the payload fly under the radar of most email filters and endpoint detection tools.

2. Self-Hosted CAPTCHA Using HTML5 Canvas The kit has moved away from using Cloudflare Turnstile in favor of a self-hosted CAPTCHA rendered via HTML5 canvas. The visual elements are randomized to avoid fingerprinting, allowing attackers to bypass domain reputation systems and detection based on CAPTCHA frameworks.

3. Advanced Anti-Debugging and Analysis Evasion New anti-debugging logic detects common analysis tools like Burp Suite and PhantomJS. If these tools are identified, or if the CAPTCHA interaction fails (a potential sign of an automated scanner), the user is redirected either to a legitimate site like rakuten.com or is served a decoy page to break the analysis flow.

These improvements make it more difficult for defenders to analyze infrastructure, reverse engineer payloads, or automate detection via browser-based sandboxing.

In parallel with toolkit updates, Trustwave has observed a dramatic increase in the use of malicious SVG files in phishing campaigns—an 1,800% jump from April 2024 to March 2025. This surge is being fueled by Tycoon2FA and other PhaaS platforms like Mamba2FA and Sneaky2FA.

SVG files are being disguised as voicemail alerts, logos, or shared documents and are weaponized with embedded JavaScript. These scripts often use multiple layers of obfuscation—such as base64, ROT13, XOR, and junk code—to evade detection by email scanners and endpoint tools.

Upon rendering, the embedded code redirects the victim to fake Microsoft 365 login portals designed to harvest credentials.

A recent campaign spoofed Microsoft Teams notifications, using an SVG file disguised as a voicemail message. When opened, the file launched a browser and executed obfuscated JavaScript to redirect the user to a phishing page mimicking the Office 365 login screen.

The combination of SVG-based delivery and advanced obfuscation represents a notable evolution in phishing operations, especially those offered as turnkey services to lower-tier cybercriminals. These changes point to a broader trend: phishing campaigns are becoming more modular, evasive, and automated—targeting enterprise platforms with precision tools that bypass both MFA and modern email defenses.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Today’s Topics:

• WinRAR Vulnerability Enables Mark of the Web Bypass and Silent Code Execution
• Carding Tool Abusing WooCommerce API Downloaded 34,000 Times on PyPI
• How can Netizen help?

WinRAR Vulnerability Enables Mark of the Web Bypass and Silent Code Execution

A newly disclosed vulnerability in the popular file archiver WinRAR allows attackers to bypass Windows’ built-in Mark of the Web (MotW) protections, enabling the stealthy execution of potentially malicious code. Tracked as CVE-2025-31334, the flaw affects all versions of WinRAR prior to the latest release, version 7.11.

Mark of the Web is a Windows security feature that flags files downloaded from the internet by tagging them with an alternate data stream called Zone.Identifier. When a user attempts to run a file tagged with MotW, Windows displays a security warning, prompting the user to confirm whether the file should be executed. This helps prevent accidental execution of malware and is one of the OS’s primary mechanisms for defending against internet-delivered threats.

The issue in WinRAR arises when a symbolic link (symlink) is embedded within an archive. If the symlink points to an executable file and the archive is opened using the WinRAR shell, the MotW flag is ignored entirely—even if the original file was downloaded from the internet and should have triggered a security warning.

This means an attacker could craft an archive containing a symlink to a malicious executable and distribute it online. When the user extracts and runs the file using WinRAR, the system would execute the code without any MotW-based warning.

It’s important to note that creating a symlink on a Windows system requires administrator-level permissions. While this adds some friction, it does not fully mitigate the risk—particularly in environments with weak privilege separation or systems already compromised in earlier stages of an attack.

The vulnerability has been rated with a CVSS score of 6.8, placing it in the medium severity range. The bug was responsibly disclosed to WinRAR’s developer RARLAB by researcher Shimamine Taihei of Mitsui Bussan Secure Directions. The coordination was managed through Japan’s Information Technology Promotion Agency (IPA) and Japan’s Computer Security Incident Response Team (JPCERT/CC).

WinRAR’s changelog for version 7.11 notes the fix simply:
“If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored.”

MotW bypasses have been increasingly targeted by both criminal and state-sponsored threat actors in recent years. Similar tactics have been used in other compression tools. For example, Russian cybercriminals recently exploited a bug in 7-Zip that failed to propagate MotW when using double compression techniques—allowing them to deploy malware like Smokeloader without triggering Windows alerts.

MotW bypasses are attractive to attackers because they help sidestep one of the final lines of defense in environments where users download and open untrusted files. These flaws are especially valuable in phishing campaigns, drive-by downloads, or watering hole attacks.

SOC teams should prioritize upgrading all endpoints to WinRAR 7.11 or later to ensure MotW tags are honored properly during archive extraction. While the CVSS score might not immediately suggest a critical risk, the potential to disable a key Windows security feature in user-facing workflows makes this bug particularly attractive to attackers focused on social engineering.

Security teams should also monitor for symlink usage within archive contexts, especially in user-writable directories. Consider implementing detection logic for non-standard execution paths involving archive tools, and review telemetry for execution of binaries extracted from archives that should have been flagged with MotW.

Lastly, this vulnerability serves as a reminder that endpoint protection strategies should not rely solely on operating system features like MotW. Defense-in-depth approaches—including behavior-based monitoring, application allowlisting, and user training—remain essential, especially when commonly used utilities like WinRAR can be used to subvert expected safeguards.

Carding Tool Abusing WooCommerce API Downloaded 34,000 Times on PyPI

A malicious Python package designed to validate stolen credit cards using legitimate WooCommerce stores has been downloaded more than 34,000 times from the Python Package Index (PyPI), highlighting the ongoing abuse of open-source ecosystems in support of cybercrime. The package, named disgrasya, was discovered by researchers at Socket and has since been removed from the repository—but not before it enabled wide-scale carding activity through automated abuse of online stores.

Unlike typical supply chain attacks that rely on deception or typo-squatting to trick developers into installing fake libraries, the disgrasya package made no effort to disguise its purpose. In fact, the PyPI listing clearly stated: “A utility for checking credit cards through multiple gateways using multi-threading and proxies.” This bold description signaled that the authors weren’t concerned with flying under the radar, using PyPI as a high-traffic distribution platform to reach carding actors across the globe.

According to Socket’s analysis, the malicious behavior was introduced in version 7.36.9—likely an intentional move to bypass security scans that are stricter for initial submissions. By delaying the addition of malicious code until a later version, attackers may have evaded automated analysis tools and code reviewers.

The script targets WooCommerce stores that use the CyberSource payment gateway, a common configuration for online businesses. The tool automates a process that would normally require human interaction by programmatically emulating a full online shopping session.

Here’s how the attack works:

• The script crawls legitimate WooCommerce stores and collects product IDs.
• It adds those products to a shopping cart using the site’s backend API.
• It moves to the checkout page and harvests critical session data: a CSRF token and a capture context, which is a dynamic key used by CyberSource to tokenize credit card data securely.
• Instead of sending the credit card details directly to CyberSource, the script transmits them to an attacker-controlled server (railgunmisaka.com), which mimics the payment gateway and returns a fake token.
• That token is used to complete the checkout process on the WooCommerce site. If the transaction goes through, the card is logged as valid; if not, it’s discarded and the next card in the list is tested.

This method allows the actor to verify thousands of stolen credit card numbers in a short time while leveraging legitimate infrastructure to avoid detection.

Socket points out that this workflow is methodical, difficult to detect, and designed to blend into normal site activity. It’s particularly dangerous for merchants because traditional anti-fraud systems often can’t distinguish these fake checkouts from legitimate customer behavior—especially when the tool simulates a complete transaction path.

Detection becomes even harder when attackers use proxies or botnets to distribute traffic across different IPs and regions, further mimicking normal web usage patterns.

Though detection is difficult, there are several ways to make life harder for carding actors:

• Block transactions under a certain threshold (e.g., <$5), which are commonly used for validation attempts.
• Monitor for checkout patterns with high failure rates or sudden spikes in low-value orders.
• Apply rate limits on checkout endpoints to slow down automated attacks.
• Add CAPTCHA challenges during checkout to interrupt script-based submissions.
• Track behavioral anomalies tied to repeated access from the same IP or region.

Merchants using WooCommerce, especially those with CyberSource integration, should consider reviewing their site logs for suspicious automated checkout activity and audit past orders for signs of carding.

Security teams should review web application logs for e-commerce properties to detect suspicious activity related to automated card validation. Look for checkout patterns involving low-value transactions, high error rates, or repeated requests originating from a limited IP pool. Integration monitoring tools and fraud prevention services should be configured to flag checkout endpoints for behavioral anomalies. SOC analysts should also ensure that payment APIs are not being indirectly abused through backend channels and should validate that session and payment token endpoints are not being exposed to external manipulation.

Finally, any organization distributing Python packages internally or externally should closely monitor updates for malicious behavior introduced in later versions of a package—especially those with no clear use case or documentation.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.