Google Engineers Critical of Aviator Browser Security

Google security engineers have criticized the security and privacy of WhiteHat Security’s Aviator browser, after finding a remote code execution vulnerability within hours of Aviator’s release as open source.

Within hours on Thursday of WhiteHat Security releasing its Aviator browser to open source, a remote code execution vulnerability was disclosed, along with a handful of other coding issues that Google security engineers said jeopardized the security and privacy of Aviator’s users.

Google’s public disclosure and subsequent public criticism over social media of Aviator–which is built upon the Chromium code base, the same one used by Google to build the Chrome browser–kicked off an tense back and forth between the $50-billion search giant and the small-by-comparison private security company

WhiteHat responded this afternoon, acknowledging the bugs in its code, which it concedes may not be as “elegant” as Google Chrome’s. But the company does push back against Google’s assertion that the use of the Disconnect browser extension in Chrome, and tweaks to some privacy settings provide the same experience as Aviator.

“We have made changes in Aviator that are beyond configuration, such as the browser’s ability to stop referring URLs from being sent cross domain as well as always being in private mode by default. But far more importantly, when we talk to average users it becomes clear that consumers can’t actually do what [Google] is suggesting,” said Hansen. “Most people do not know the first thing about Disconnect and therefore, they don’t know what they need to do to add it. Our argument all along has been that consumers need better options by default. They don’t even know what to search for to start learning how to protect themselves.”

Aviator was built with anonymity and security in mind. By default, it doesn’t allow tracking of a user’s browsing, and WhiteHat doesn’t have any partnerships with advertisers or tracking companies. It also has DuckDuckGo set as the default search engine, a major change from most other browsers, which typically have Google or Bing as the default. DuckDuckGo doesn’t save any search history data from users or perform any tracking.

Google engineer Tavis Ormandy, however, yesterday wasted no time diving into the Aviator code. he tweeted late yesterday afternoon that he’d discovered a remotely exploitable bug in the browser.

WhiteHat founder and CEO Jeremiah Grossman said through his Twitter account that Google did not contact his company about the vulnerability or any of the issues described in a Google-Plus post by Justin Schuh, a Google security engineer working on the Chrome security team.

“You probably shouldn’t be using the WhiteHat Aviator browser if you’re concerned about security and privacy,” Schuh wrote, pitting Chrome against Aviator throughout the post as a safer and better-resourced secure-browsing option.

The decision to go open source, WhiteHat Labs vice president Robert Hansen said, was a long time coming and was spurred on by privacy conscious users, including some in the Tor community, who wanted a similar browser built on Chromium.

“For them, it would be a lot easier to start with a more secure browser that had removed a lot of the Google specific anti-privacy stuff, than to re-invent the wheel. So why not Aviator?,” Hansen wrote yesterday in making the open source announcement.

Releasing Aviator to open source, Hansen said, was in part an effort to enlist the security community’s help in hardening the browser and perhaps narrowing the gap between it and Chrome, the security of which is key to supporting Google’s $50 billion annual revenue from online advertising.

Schuh, meanwhile, pointed out that a number of changes made in Aviator from the Chromium code base that complicate the integration of security fixes.

“That’s why Aviator is perennially at least two major releases behind Chrome, and ships with dozens of publicly disclosed vulnerabilities that are already fixed in the stable Chrome release,” Schuh said. “Had these branding changes been made more carefully, this simply wouldn’t be a problem and Aviator would be able to pull upstream changes and benefit from the security work being done by the Chromium Project.”

Schuh said the number of technical changes made in Aviator were relatively few, but created problems beyond Ormandy’s vulnerability.

“The added code doesn’t seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security,” Schuh said, pointing to one area where debug breaks were disabled.

“In Chrome that call is expected to safely terminate sandboxed processes in a whole slew of situations where the process cannot safely recover, but in Aviator all of those cases have now been turned into potentially exploitable vulnerabilities,” he said.

Schuh said a number of the changes made to Aviator are already available in the Chrome Disconnect extension, and with the benefit of incorporating any security fixes in Chromium.

“In the end, I really hope this criticism is taken constructively, and provides some useful context for people who want to enhance Chrome,” Schuh said. “I’m always impressed by the size and passion of the Chromium community, and blown away by the number of people who contribute to and build projects on top of our codebase. But at the same time it’s very important that care be taken in those efforts to preserve the safety of end-users, even more so when making such bold claims about security and privacy.”

Suggested articles