I just got contacted by a PR firm that wanted to talk to me about the new Google Chrome carpet bombing flaw. Only problem is, the flaw isn’t what I would call a flaw (but that’s not stopping other pubs from reporting on this flaw).
Long story short is that security researcher Aviv Raff blogged that Chrome is at risk from the Carpet bombing flaw he first reported on Apple Safari. Raff has posted a Proof of Concept (nice move dude) which looks to my naked eye to prove conclusively that Chrome users don’t need to uninstall their shiny new browser.
I’ve posted a screen shot from my own test below. Notice how Raff even has some Google AdSense ads at the top of his exploit page (isn’t that a definition of Chutzpah?).
Yes the page can trigger a dialog box to open, but notice two important things. First is that the Google Chrome user still actually has to save the file. Secondly the file is clearly identified as an executable (and yes I know file types can be spoofed…).
So the flaw – is that if you click on a bad link and then get a pop up window asking you to download something and you actually click ‘Save‘ – well you might have a problem.
Same can be said for any other web browser or email program though can’t it? Click on bad links, save bad stuff and bad things will happen.
Yes – it’s great that Raff and others are looking at security on Google Chrome and I really do applaud him for trying, he does try to make a real solid case for issues in Chrome.
No doubt there are security issues that will be found that will need to be fixed. That said the common sense of safe browsing should still be common practice, regardless of what browser the user is running.