The latest security vulnerability was discovered by researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing who discovered a way to spoof the address that is shown in the browser’s address bar. His proof of concept demonstration makes use of a button and Javascript. A user pressing the button will see an url change in the browser’s address bar. A look in the source code however reveals that the user is still on the same site and not at the website shown in the address bar.

The flaw could be used to display a PayPal button (or Google Checkout) on a website that would lead to a fake website where the user’s login credentials could be easily fished.

Google will release an end user update soon that will fix the security vulnerability. The only safe thing to do until then is to either switch to Dev Channel builds for the time being that already have a fix included or stop using Google Chrome until the security vulnerability has been patched.

One could think that other browsers based on Webkit are vulnerable as well. This is not the case however according to Liu Die Yu who attributed the security vulnerability to code added by Google developers.

The reason why this vulnerability is still working in Google Chrome is because Google has been using an older version of Webkit for their browser’s core. First of all, users without Java on their computers are completely safe. Users with Java and Chrome installed should read on.

The problem is serious but requires the user’s action to be triggered. If the user clicks on a specifically prepared download the file downloads and executes itself automatically without further user input.

Security expert Aviv Raff has setup a demo website that demonstrates the vulnerability in Google Chrome. The demonstration page provides a download button which will download and execute a Java file immediately without further user interaction. This demo only opens a notepad application but serious harm could be done with such an exploit.