gHacks technology news » google chrome vulnerability http://www.ghacks.net A technology blog covering software, mobile phones, gadgets, security, the Internet and other relevant areas. Tue, 10 Nov 2009 01:33:24 +0000 http://wordpress.org/?v=2.8.5 en hourly 1 Google Chrome Address Spoofing Vulnerability http://www.ghacks.net/2008/10/28/google-chrome-address-spoofing-vulnerability/ http://www.ghacks.net/2008/10/28/google-chrome-address-spoofing-vulnerability/#comments Tue, 28 Oct 2008 10:16:41 +0000 Martin http://www.ghacks.net/?p=7916 Are that many security vulnerabilities of Google Chrome coming to light because it is less secure than other web browsers? Or is it because everyone is putting more effort into discovering vulnerabilities because it is Google’s browser? Whatever it is; No week passes by without the discovery of a new security vulnerability in Google Chrome.

The latest security vulnerability was discovered by researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing who discovered a way to spoof the address that is shown in the browser’s address bar. His proof of concept demonstration makes use of a button and Javascript. A user pressing the button will see an url change in the browser’s address bar. A look in the source code however reveals that the user is still on the same site and not at the website shown in the address bar.

The flaw could be used to display a PayPal button (or Google Checkout) on a website that would lead to a fake website where the user’s login credentials could be easily fished.

Google will release an end user update soon that will fix the security vulnerability. The only safe thing to do until then is to either switch to Dev Channel builds for the time being that already have a fix included or stop using Google Chrome until the security vulnerability has been patched.

One could think that other browsers based on Webkit are vulnerable as well. This is not the case however according to Liu Die Yu who attributed the security vulnerability to code added by Google developers.

Tags: , , , , ,

Related posts

]]> http://www.ghacks.net/2008/10/28/google-chrome-address-spoofing-vulnerability/feed/ 0 Google Chrome Security Vulnerability http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/ http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/#comments Wed, 03 Sep 2008 21:41:19 +0000 Martin http://www.ghacks.net/?p=6748 Now this did not take long. Only one day after releasing a first public beta version of Google Chrome researchers at Kaspersky discovered (Thanks Neil for sending the tip) a security vulnerability that combines a security flaw in Webkit, the browser engine used by Google Chrome, with a Java bug. Apple fixed the vulnerability in Safari back in July after two months of doing nothing about it and it will be interesting to see how fast Google will react to the security vulnerability.

The reason why this vulnerability is still working in Google Chrome is because Google has been using an older version of Webkit for their browser’s core. First of all, users without Java on their computers are completely safe. Users with Java and Chrome installed should read on.

The problem is serious but requires the user’s action to be triggered. If the user clicks on a specifically prepared download the file downloads and executes itself automatically without further user input.

Security expert Aviv Raff has setup a demo website that demonstrates the vulnerability in Google Chrome. The demonstration page provides a download button which will download and execute a Java file immediately without further user interaction. This demo only opens a notepad application but serious harm could be done with such an exploit.

Tags: , , , , ,

Related posts

]]> http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/feed/ 21