The latest security vulnerability was discovered by researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing who discovered a way to spoof the address that is shown in the browser’s address bar. His proof of concept demonstration makes use of a button and Javascript. A user pressing the button will see an url change in the browser’s address bar. A look in the source code however reveals that the user is still on the same site and not at the website shown in the address bar.

The flaw could be used to display a PayPal button (or Google Checkout) on a website that would lead to a fake website where the user’s login credentials could be easily fished.

Google will release an end user update soon that will fix the security vulnerability. The only safe thing to do until then is to either switch to Dev Channel builds for the time being that already have a fix included or stop using Google Chrome until the security vulnerability has been patched.

One could think that other browsers based on Webkit are vulnerable as well. This is not the case however according to Liu Die Yu who attributed the security vulnerability to code added by Google developers.

Related posts

• Google Chrome Nightly Builds Downloader (8)
• Google Chrome 2.0 Pre-Beta Release (7)
• Share Bookmarks (0)
• One Step Closer To Extension Support In Google Browser (2)
• Google Chrome To Get Automatic Userscript Support (2)