Chrome for Android Update Fixes Critical URL Spoofing Bug

The latest update to Chrome on Android fixes two bugs, including a critical flaw in the browser that could have let an attacker trick a user into visiting a malicious site.

The latest update to Chrome on Android – pushed yesterday – fixes two bugs, including a critical flaw in the browser that could have let an attacker trick a user into visiting a malicious site.

The problem, marked high priority by Google, was discovered by Japanese app developer Keita Haga. The bug, which netted the researcher a $3,000 bug bounty from Google, could have let an attacker remotely spoof a seemingly valid URL in the browser’s Omnibox and trick users into thinking any site of the attacker’s choosing was legitimate.

The issue is similar to a problem that Haga found in Apple’s Safari browser in iOS last fall. That bug gave an attacker the ability to spoof an arbitrary URL via a specially crafted web site. Apple fixed the issue through improved URL tracking when it pushed out iOS 7 last September.

That makes five URL spoofing bugs in five different browsers over the years for Haga. According to the Open Source Vulnerability Database, in addition to both the Chrome and Safari bugs, Haga discovered similar bugs in Yahoo’s browser for Android and the lesser-known browsers Sleipnir and jigbrowser+.

The latest iteration of Chrome, 36.0.1985.1222 — the 36th stable release for Android, also fixes a bug with the browser’s same origin policy (SOP).

Google security expert Michał Zalewski once called SOP “perhaps the most important security concept within modern browsers.” The functionality helps restrict how a document or a script loaded from one origin can interact with a resource from another origin. Without it users could easily be subjected to Cross Site Request Forgery or Cross Site Scripting attacks.

Håvard Molland, a Norwegian developer with Opera, discovered a way to bypass SOP on older versions of Chrome that Google went on to fix in this recent version.

For what it’s worth, the latest update also lets websites that aren’t optimized for mobile devices render text with better accuracy, addresses issues from OpenSSL 1.0.1h, and brings back Google doodles to the new tab page along with a cornucopia of other minor bug fixes.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • David LaVeque on

    Hi, I have been using both 36&37 since update was available. There is a common bug on both. The screen is blanking out after opening a link from an article and switching back and forth. The pages load then go blank a few seconds later. Google forums has long list of people,and a bug report on this issue. Opening tabs in "incognito" does not display this behaviour. Maybe if someone writes about this issue,the dev. Team will get busy.
    • Brian Donohue on

      Thanks for the tip. We'll look into it.
  • jaber on

    Mine is fixed by doing this go to : chrome website /privacy setting I have unchecked navigation error suggestions and search and URL suggestions both unchecked now it works fine also you browse fast than before

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.