You Got That Wrong, Say Google And Facebook

Martin Brinkmann
May 12, 2011
Updated • Dec 16, 2014

When it comes to security on the Internet, it can be extremely complicated for end-users to find out who is telling the truth, who is not and who is bending it. Two days ago news broke that French security company Vupen managed to bypass the Chrome browser's sandbox, something that no one had managed to do before.

A demonstration video was shown, but no proof of concept website or exploit information were revealed besides that.

Google's official investigation of the vulnerability is still ongoing and taking longer than usual as Vupen is not sharing details of the exploit with Google.

Google engineers on the other hand expressed their opinion about the discovery on Twitter. Tavis Ormandy, a Google security engineer, posted a message on Twitter saying that Vupen had it all wrong, and that they exploited a Flash bug and did not penetrate the sandbox of Chrome. Others like Chris Evans posted similar messages on Twitter.

google chrome sandbox exploit

Discussion between Chrome engineers and Vupen researchers continued for some time on Twitter, and grew heated at times. Vupen meanwhile announced that they got the exploit to work both on Chrome 11 and 12.

There are now two sides to the story. Vupen on the one side claiming to have beat Google Chrome's sandbox, and Google on the other saying that it was not the case. Google's adamant in defending their browser's security concept and sandboxing, as it is one feature that distinguishes it from other web browsers. A successful exploit could put a dent into the browser's reputation as one of the most secure web browser.

Does it make a difference if a Flash vulnerability was used to load the Calculator on Windows? From a technical perspective yes, from an end users perspective no.

But Google was not the only company who refuted security allegations today.

Symantec published research on the company blog yesterday that revealed information about an access vulnerability discovered on the social networking site Facebook. According to Symantec's research, Facebook applications may leak access keys to advertisers and other third parties. Access keys are generated when a user gives an application privileges on Facebook, and used to act with the user's privileges.

With those keys in the wrong hand, they could be used to perform actions that the user has authorized the application for. This includes posting on the user's wall, accessing a user's profile or profiles of friends, or reading messages that the user has written in the past.

Facebook spokeswomen Malorie Lucich downplayed Symantec's allegations in an email to PC World. She basically said that the report had inaccuracies, and that no private information could have been passed to third parties.

That sounds like a definitive no. Lucich continued stating that Facebook had no evidence of a privacy breach, and that the engineers took the necessary steps to resolve the issue, which again sounds like there has been a issue, and that Facebook did fix it after it was reported to them.

The truth in this case may be somewhere in the middle. Facebook did not deny Symantec's findings directly, which indicates that there may be some truth to the findings after all.

If you look at the story from an end-user perspective, you are again left with no definitive answer as to what has happened. Were applications able to leak access tokens? Likely. Did advertisers or third parties exploit the issue? That's not as likely, according to Symantec, and not possible according to Facebook.


Previous Post: «
Next Post: «


  1. DanTe said on May 13, 2011 at 5:48 am

    As I’ve speculated here when the story first broke, it’s most likely Adobe Flash. It’s very very hard to sandbox badly written codes like Adobe’s. Using Adobe products is a guarantee dumb down of your PC’s security to Apple levels.

  2. TRY said on May 12, 2011 at 9:05 pm

    I seems to be inclined towards Vupen and Symantec here ;)

    1. Martin Brinkmann said on May 12, 2011 at 9:09 pm

      Well I do not know who is right and who is not. When I do not know I usually assume the worst ;)

  3. Ralph said on May 12, 2011 at 11:51 am

    I remember Google stating that they had sandboxed Flash within Chromium.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.