Home Serious Security Flaw in Google Chrome

Serious Security Flaw in Google Chrome

Google Chrome has quickly become one of our favorite browsers here at RWW, but as Ryan Narraine, a security evangelist at Kaspersky Lab, reports, Chrome has also inherited a potentially serious security flaw from the old version of WebKit it is based on. An attacker could easily trick users into launching an executable Java file by combining a flaw in WebKit with a known Java bug and some smart social engineering.

Security expert Aviv Raff, who first discovered this flaw, set up a demo of the exploit here. (Note: This page will automatically download a Java file onto your desktop). You can safely click on the download, as it only opens up a notepad application written in Java.


The problem here is that, after a user double-clicks the download at the bottom of the screen, this application is opened without any warning, which would allow a malicious hacker to easily execute any Java program on a user’s machine.

Two facts make this exploit especially embarrassing for Google. First of all, Google stressed the security of Chrome in both the official announcement as well as in today’s live video demo just before the launch.

Apple Already Did It

More importantly, as ZDNet reports, Apple already patched WebKit against this flaw when it released Safari 3.2.1 in July, though only after the flaw had been known already for more than two months. Google, however, is using an older version of WebKit as the basis for Chrome.

Social Engineering

Obviously, this exploit only works because of the social engineering behind it. Just like some pop-up ads trick users into clicking “OK” because the ad mimics a typical system message in Windows, this exploit would trick users who are not yet familiar with Chrome’s interface into believing that the download is actually just part of the web page.

We assume that Google will patch this flaw a lot faster than Apple did, but this news definitely puts a bit of a damper on our enthusiasm for Chrome.

EDITOR’S UPDATE: we’ve been all over the Chrome story for the past few days, so here is a summary of our coverage so far:

Video of Google Chrome Announcement

Chrome: Test it With Us Live (check out Sarah Perez’s screencast, with input from all the RWW team)

Does Google Have Rights to Everything You Send Through Chrome? (great discussion happening in the comments of this one)

Google to Offer its Own Browser: Chrome (our original post)

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.