Chrome Canary Bug Hides URLs A Little Too Well

google chrome security update

A bug in the developer and early adopter version of Google Chrome called Canary fails to display URLs of a certain character length, potentially facilitating phishing attacks.

Borrowing a tactic from the mobile Safari browser in iOS, Google may soon abandon displaying complete URLs in Chrome.

The Canary version of the browser, an unstable version designed for developers and early adopters, is toying with the idea of no longer displaying full URLs in its Omnibox—what other browsers call an address bar—instead moving the top-level domain to a prominent spot left of the Omnibox known as the Origin Chip.

The idea is that this will make it much easier for users to flag phishing sites. But web security firm PhishMe has reported on a bug where URLs that exceed 100 characters will not display a top level domain or URL of any kind, but instead display just an empty search bar.

Given that Canary v36 is not a fully baked version of Chrome, the widespread risks are relatively low. But the flaw does enable a phisher to adjust accordingly and fool a less savvy users into giving up their banking credentials, for example.

“While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL,” wrote PhishMe’s Aaron Higbee and Shyaam Sundhar in a blogpost.

Phishing still works, despite years of warnings from security experts and millions spent on awareness training. The recent Verizon Data Breach Investigations Report said phishing was the third most popular threat action used in 2013 data breaches, behind the use of stolen credit cards and the exfiltration of data from compromised machines. Phishing generally goes hand-in-hand with the loss of legitimate credentials, which is particularly prevalent in fraud against financial institutions and in cyberespionage attacks where spear phishing emails are often the initial point of entry used by nation states to access the systems and networks of their targets.

“Since these attacks do not use malware, the best (and sometimes only) defense against them is a well-trained user who recognizes that the URL is not leading to a legitimate website,” Higbee and Sundhar wrote. “Without the ability to evaluate the URL, even the savviest user could fall victim to this type of attack.”

The Origin Chip in Canary must be enabled, and once it is, users see only the main domain or subdomain displayed. In order to see the entire URL, a user would have to click on Origin Chip.

In order to see the entire URL, a user would have to click on Origin Chip.

PhishMe said it tested character and size limitations of the Origin Chip. Domains and subdomains of 30 to 40 characters and 60 to 70 characters displayed as intended, researchers said. A URL of longer than 98 characters, however, does not display a URL.

“Omni Chip’s length is subjective to the browser size, so the URL length limits change when the browser is resized,” Higbee and Sundhar wrote. “For example, reducing your browser window size reduces the length at which Omni Chip will stop displaying the URL and vice versa. The lengths considered in the above scenarios will work on the default size, although the underlying fact that the URL disappears when Omni Chip exceeds specific length (determined by the size of the browser) remains unchanged.”

The issue has already been raised on the Chromium website. PhishMe suggests keeping the URL intact, and instead putting more visual focus on the root domain.

“By burying the concept of URL, or by making this setting permanent in the future versions of Chrome, users will not know the exact link or domain they are visiting, since the URL in the Omnibox disappears, meaning that even security savvy users who have been trained to recognize malicious URLs will be at risk,” Higbee and Sundhar wrote.

Suggested articles