back to article New address spoofing flaw smudges Google's Chrome

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google. Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Jeremy
    Boffin

    Erm no, it is a vulnerability, and it is there.

    El Reg has just linked to the proof of concept incorrectly.

    Correct proof of concept link:

    http://liudieyu.com/kissofthedragon.32168816196486005/

    (e.g. lose the 'bye.html' off the end)

    Then click the BBB logo presented to open a popup with a bbb.org 'address' and his own content.

  3. This post has been deleted by its author

  4. system

    RE: Erm...

    Try this address: http://liudieyu.com/kissofthedragon.32168816196486005/

    Click the button to "verify" with the bbb and you should see the exploit in a pop up window.

  5. Dan Goodin (Written by Reg staff)

    story updated to correct link

    ta

  6. Nick L

    Designed for insecurity ?

    So do we get the impression that security is designed into Chrome through its architecture, or do we get the impression that it's an implementation add-on which depends on its programmers noticing the vulnerabilities ?

  7. Anonymous Coward
    Anonymous Coward

    And the cartoons made it look so good.

    That's the last time I get taken in by a bunch of etchings.

    Probably didn't have the right team on this one, all of it going to the goo goo gadget javascript engine.

  8. Moss Icely Spaceport
    Happy

    iFail

    You Fail

    We all Fail

  9. F Seiler

    hmm...

    People actually use chrome?

  10. Rasczak
    Boffin

    Not Webkit issue ?

    Quote from Liu Die Yu who found this - "I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."

    Chrome uses v525.13 of Webkit, Safari uses v525.19. I haven't tested in Safari, but I have tried the POC page in Iron, the fork of Chrome from SRWare which also uses v525.19 of Webkit, it gets an alert for bbb.org that is 'undefined' and if you OK this you get what appears to be the correct page.

    Maybe it is a Webkit issue, can anyone who has the developer version 0.3.154.3 of Chrome say what version of Webkit this uses ?

  11. Anonymous Coward
    Stop

    last i checked

    ..this was still in beta. exactly when bugs should be caught. Surely no-one's using this browser for anything other than testing at the moment?

  12. Anonymous Coward
    Anonymous Coward

    Also works on

    firefox 3.0.3

  13. John

    Funny

    I use version 0.2.149.30 and it didn't work for me. I can see the normal URL in the address bar. Not Phished.

  14. CJ
    Unhappy

    Opera

    Just tried this in Opera and it's the same.

This topic is closed for new posts.

Other stories you might like