Google Chrome Vulnerable to Secure Address Bar Spoofing
By on January 4th, 2012

If you thought the site you were browsing was secure simply due to the little s  at the end of HTTP, you may want to re-evaluate.

Security researchers at ACROS  have posted details concerning a vulnerability in versions 14 and 15 of Google’s Chrome browser. The issue comes from an inconsistency that Chrome has when following and rendering redirections to other web pages. This means that an attacker can redirect a visitor to a page that looks identical to a legitimate page, with a real looking HTTPS URL, when infact they are not on the expected page. This can lead to theft of credentials, credit cards and other personal information.

The crux of the issue comes down to Chrome being very quick to update the address bar, even before any of the page content has actually loaded. This allows the researchers to change the destination without it being reflected to the address bar. Most users will “confirm” they are on the correct page simply by reading the address page and matching it with what they are looking at, especially when the majority only visit a handful of specific websites.

While the newest releases of Chrome (16, beta and above) have had this issue resolved, Google’s browser holds a relatively large marketshare of approximately 20% world wide. That’s more than 70 million. If over 75% of those users have updated version, one can speculate that roughly 1.7 million users are susceptible to this attack. With Google’s auto-update mechanism, it’s highly unlikely that there are so many old installations.

At Techie-Buzz alone, more than 1 million of the 3.5+ million visitors use Chrome. Google Chrome has been growing at a very rapid rate, pushing Microsoft’s Internet Explorer and Mozilla’s Firefox lower and lower. Chances are, you’re using Chrome because it’s fast, so if you want to stay as safe as possible, keep Chrome updated and take a look at some of the popular security/privacy extensions.

Tags: , , , , ,
Author: Simon LR

Simon LR has written and can be contacted at simon@techie-buzz.com.
  • http://www.pallab.net Pallab De

    The crux of the issue comes down to Chrome being very quick to update the address bar, even before any of the page content has actually loaded.

    The same behavior is also present in Opera, so is Opera also vulnerable?
    And, I actually prefer and want this behavior. I have a habbit of opening links from websites like reddit and facebook in bulk in new background tabs. Now, if a page fails to load, I want the url to be present in the addressbar and not be lost.

 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN