Comments on “New address spoofing flaw smudges Google's Chrome” • The Register

Comments on: New address spoofing flaw smudges Google's Chrome

Back to the article
Comments on this article are now closed

Erm... #

By Andrew Langhorn Posted Sunday 26th October 2008 20:36 GMT

No, it's not: the link to the proof of concept shows me this page: http://liudieyu.com/kissofthedragon.32168816196486005/bye.html -- and there's no spoofed address in the address bar.

Methinks either I have an updated/immune Chrome install, or El Reg has screwed up?!

Erm no, it is a vulnerability, and it is there. #

By Jeremy Posted Sunday 26th October 2008 22:08 GMT

El Reg has just linked to the proof of concept incorrectly.

Correct proof of concept link:

http://liudieyu.com/kissofthedragon.32168816196486005/

(e.g. lose the 'bye.html' off the end)

Then click the BBB logo presented to open a popup with a bbb.org 'address' and his own content.

Same here #

By Rik Hemsley Posted Sunday 26th October 2008 22:21 GMT

Perhaps they already fixed it?

RE: Erm... #

By system Posted Sunday 26th October 2008 22:42 GMT

Try this address: http://liudieyu.com/kissofthedragon.32168816196486005/

Click the button to "verify" with the bbb and you should see the exploit in a pop up window.

story updated to correct link #

By Dan Goodin Posted Sunday 26th October 2008 22:57 GMT

ta

Designed for insecurity ? #

By Nick L Posted Sunday 26th October 2008 23:07 GMT

So do we get the impression that security is designed into Chrome through its architecture, or do we get the impression that it's an implementation add-on which depends on its programmers noticing the vulnerabilities ?

And the cartoons made it look so good. #

By Anonymous Coward Posted Monday 27th October 2008 00:49 GMT

That's the last time I get taken in by a bunch of etchings.

Probably didn't have the right team on this one, all of it going to the goo goo gadget javascript engine.

iFail #

By Moss Icely Spaceport Posted Monday 27th October 2008 03:43 GMT

You Fail

We all Fail

hmm... #

By F Seiler Posted Monday 27th October 2008 07:23 GMT

People actually use chrome?

Not Webkit issue ? #

By Rasczak Posted Monday 27th October 2008 11:18 GMT

Quote from Liu Die Yu who found this - "I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."

Chrome uses v525.13 of Webkit, Safari uses v525.19. I haven't tested in Safari, but I have tried the POC page in Iron, the fork of Chrome from SRWare which also uses v525.19 of Webkit, it gets an alert for bbb.org that is 'undefined' and if you OK this you get what appears to be the correct page.

Maybe it is a Webkit issue, can anyone who has the developer version 0.3.154.3 of Chrome say what version of Webkit this uses ?