The Register® — Biting the hand that feeds IT

Comments on: New address spoofing flaw smudges Google's Chrome

Erm... 

By Andrew Langhorn Posted Sunday 26th October 2008 20:36 GMT

Stop

No, it's not: the link to the proof of concept shows me this page: http://liudieyu.com/kissofthedragon.32168816196486005/bye.html -- and there's no spoofed address in the address bar.

Methinks either I have an updated/immune Chrome install, or El Reg has screwed up?!

Erm no, it is a vulnerability, and it is there. 

By Jeremy Posted Sunday 26th October 2008 22:08 GMT

Boffin

El Reg has just linked to the proof of concept incorrectly.

Correct proof of concept link:

http://liudieyu.com/kissofthedragon.32168816196486005/

(e.g. lose the 'bye.html' off the end)

Then click the BBB logo presented to open a popup with a bbb.org 'address' and his own content.

Same here 

By Rik Hemsley Posted Sunday 26th October 2008 22:21 GMT

Perhaps they already fixed it?

RE: Erm... 

By system Posted Sunday 26th October 2008 22:42 GMT

Try this address: http://liudieyu.com/kissofthedragon.32168816196486005/

Click the button to "verify" with the bbb and you should see the exploit in a pop up window.

story updated to correct link 

By Dan Goodin Posted Sunday 26th October 2008 22:57 GMT

(Written by Reg staff.)

ta

Designed for insecurity ? 

By Nick L Posted Sunday 26th October 2008 23:07 GMT

So do we get the impression that security is designed into Chrome through its architecture, or do we get the impression that it's an implementation add-on which depends on its programmers noticing the vulnerabilities ?

And the cartoons made it look so good. 

By Anonymous Coward Posted Monday 27th October 2008 00:49 GMT

That's the last time I get taken in by a bunch of etchings.

Probably didn't have the right team on this one, all of it going to the goo goo gadget javascript engine.

iFail 

By Moss Icely Spaceport Posted Monday 27th October 2008 03:43 GMT

Happy

You Fail

We all Fail

hmm... 

By F Seiler Posted Monday 27th October 2008 07:23 GMT

People actually use chrome?

Not Webkit issue ? 

By Rasczak Posted Monday 27th October 2008 11:18 GMT

Boffin

Quote from Liu Die Yu who found this - "I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."

Chrome uses v525.13 of Webkit, Safari uses v525.19. I haven't tested in Safari, but I have tried the POC page in Iron, the fork of Chrome from SRWare which also uses v525.19 of Webkit, it gets an alert for bbb.org that is 'undefined' and if you OK this you get what appears to be the correct page.

Maybe it is a Webkit issue, can anyone who has the developer version 0.3.154.3 of Chrome say what version of Webkit this uses ?

last i checked 

By Anonymous Coward Posted Monday 27th October 2008 11:26 GMT

Stop

..this was still in beta. exactly when bugs should be caught. Surely no-one's using this browser for anything other than testing at the moment?

Also works on 

By Anonymous Coward Posted Monday 27th October 2008 11:35 GMT

firefox 3.0.3

Funny 

By John Posted Monday 27th October 2008 12:25 GMT

I use version 0.2.149.30 and it didn't work for me. I can see the normal URL in the address bar. Not Phished.

Opera 

By CJ Posted Monday 27th October 2008 15:08 GMT

Unhappy

Just tried this in Opera and it's the same.

FF3 and Opera 

By Anonymous Coward Posted Monday 27th October 2008 20:37 GMT

Just tried it on both, and they redirect to the legitimate site, not the PoC site.

Webcast: Jumpstart your Application Security initiatives