The new Google browser reportedly has vulnerabilities that would allow it to be hacked.
Chrome was only launched for a day in beta format but according to security researcher Rishi Narang, a hacker could build a malicious link that includes an undefined handler followed by a certain character so that when a user clicks on the link Chrome would crash.
It could also see users download malicious code due to Google using an older version of WebKit, the open-source browser technology also used in Apple's Safari browser that includes the vulnerability. This lies in the way Chrome downloads files and the way Windows handles the downloaded files, according to researcher Aviv Raff.
He explained that the browser's default setting downloads files into a folder and then displays a download bar at the bottom of the browser page. The user clicks on a bar to open the file and if the file is an executable Windows displays a warning which can help users avoid inadvertently downloading malicious code. However if the file is Java Archive, Windows will automatically run the file.
He further claimed that the problem is exacerbated by the way the download bar looks as the bar appears to be part of the web page and users might think they're clicking on a link or a button on the page, rather than opening up a downloaded file.
Raff wrote in a blog: “This is again a sort of a ‘blended threat'. Two small issues in different products, when blended together, create a much larger problem. Security wise, it's very problematic. They'll have to track all security vulnerabilities in those features, and fix them in Chrome too. This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time.”
In response, a spokesperson for Google did not answer questions about the vulnerability or whether any plans were being made to make changes to Chrome, but claimed that by default, Chrome downloads files into a separate folder instead of on the user's desktop as a way to avoid some security problems. In addition, she said that users can set the browser to ask where to save each file before downloading it.