Chrome for Android Update Patches URL Spoofing Bug

Type threatpost
Reporter Chris Brook
Modified 2014-07-17T16:38:02


The latest update to Chrome on Android – pushed yesterday – fixes two bugs, including a critical flaw in the browser that could have let an attacker trick a user into visiting a malicious site.

The problem, marked high priority by Google, was discovered by Japanese app developer Keita Haga. The bug, which netted the researcher a $3,000 bug bounty from Google, could have let an attacker remotely spoof a seemingly valid URL in the browser’s Omnibox and trick users into thinking any site of the attacker’s choosing was legitimate.

The issue is similar to a problem that Haga found in Apple’s Safari browser in iOS last fall. That bug gave an attacker the ability to spoof an arbitrary URL via a specially crafted web site. Apple fixed the issue through improved URL tracking when it pushed out iOS 7 last September.

That makes five URL spoofing bugs in five different browsers over the years for Haga. According to the Open Source Vulnerability Database, in addition to both the Chrome and Safari bugs, Haga discovered similar bugs in Yahoo’s browser for Android and the lesser-known browsers Sleipnir and jigbrowser+.

The latest iteration of Chrome, 36.0.1985.1222 — the 36th stable release for Android, also fixes a bug with the browser’s same origin policy (SOP).

Google security expert Michał Zalewski once called SOP “perhaps the most important security concept within modern browsers.” The functionality helps restrict how a document or a script loaded from one origin can interact with a resource from another origin. Without it users could easily be subjected to Cross Site Request Forgery or Cross Site Scripting attacks.

Håvard Molland, a Norwegian developer with Opera, discovered a way to bypass SOP on older versions of Chrome that Google went on to fix in this recent version.

For what it’s worth, the latest update also lets websites that aren’t optimized for mobile devices render text with better accuracy, addresses issues from OpenSSL 1.0.1h, and brings back Google doodles to the new tab page along with a cornucopia of other minor bug fixes.