Address bar tweak in early Chrome beta puts even savvy users at risk


Userlevel 7
Badge +54
Bug allows attackers to hide addresses used to phish passwords or push malware.
by Dan Goodin - May 7 2014, 9:10pm GMTST
 



Displays such as this one can be hidden by exploiting a bug in a tweak being tested in Chrome Canary.
 
A change in some early versions of Google's Chrome browser is attracting the attention of security researchers who say it can make it harder for end users to know when they're visiting a malicious site trying to push malware or phish login credentials.
The change, which is said to affect a small fraction of people running version 36 of Chrome, aka Canary, causes the browser's address bar (Google calls it the Omnibox) to no longer display the URL currently open. Instead, the domain name and any subdomains of the open page are shown immediately to the left of the Omnibox in what's dubbed the Origin Chip. Google developers haven't given a definitive explanation for the experimental change, although Jake Archibald, a developer advocate for Google Chrome, recently gave his personal thoughts here. Presumably, it's designed to keep up with various features already available in Internet Explorer, Firefox, and Safari that highlight the precise domain a browser is visiting. The features are designed to thwart attacks that rely on long, confusing addresses that can sometimes conceal the true domain that's open.
 
Full Article

0 replies

Be the first to reply!

Reply