New address spoofing flaw smudges Google's Chrome
Print storyBrowser vuln enables website impersonation
Posted in Security, 26th October 2008 20:17 GMT
Free whitepaper – The starter PKI program
Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.
Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.
"I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."
As his proof of concept demonstrates, it is in fact possible to send Chrome users to a page under his control while causing the browser's address bar to display the domain name bbb.org.
A Google representative says Chrome's spoofing vulnerability is a "known issue" that will be fixed in an update that will be pushed to end users soon. Those too impatient to wait can download version 0.3.154.3 of Chrome on Google's Dev Channel.®
Free whitepaper – Securing your Microsoft Internet Information Services (MS IIS) web server
The best practices guide for application security
Avoiding 7 common mistakes of IT security compliance
The starter PKI program
Airport insecurity: the case of lost laptops
The mandate for application security
Google cloud told to encrypt itself
Buggy 'smart meters' open door to power-grid botnet
Chinese firm hits back at cyberspy claims
BlockMaster SafeStick hardware-encrypted USB drive