badge 16 characters in Google's Chrome address bar and it's gone ~ Tech Siddhi










Wednesday 23 September 2015

16 characters in Google's Chrome address bar and it's gone

An interesting bug is said to be present in one of the most used browsers , Google Chrome. The bug is found by security researcher Andris Atteka from Latvia. The blog post says 

"Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the recent Skype vulnerability - both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string:

http://biome3d.com/%%30%30"

 Once you hit this URL in your chrome browser you , the browser will crash  immediately, even hovering your mouse over the link will cause the crash or atleast this particular tab will crash if not the whole browser.

Turns out to be that the crash can be reproduced by replacing "biome3d.com" with a single character like 'a' and the bug lies in parsing null present in the URL.

The vulnerability was reported as a security bug but the bounty was turned down as it is deemed as a DOS attack rather than a security issue, said Andris in his blog. Earlier the bug was thought to be only affecting desktop versions of Chrome Browser but some users have reported that this is reproducible on Android version of the browser as well.

Interesting aspect of the bug is that a user szhu created a maze game (pic below) wherein the maze comprises of trees and bears, you have to hover your mouse over bears to reach from one end to another but the moment you touch trees your tab will crash and now you know why. 

Maze Game

You can also try this game by heading on to Github page , though hovering over will only crash your current tab, but we recommend to close all your important tabs and then try the game in case you accidentally click on any of the trees it will lead in crashing of the browser itself.

0 comments:

Post a Comment