Google Chrome – could security issues take the shine off new browser?

4 Sep 2008

Issues ranging from privacy to malicious code flaws and vulnerabilities that could allow hackers to crash the Chrome browser are beginning to emerge, adding to the steep learning curve Google will have to climb to see widespread adoption of its new product.

In recent days, analysts and bloggers have been debating potential problems which the new browser may experience.

Israeli researcher, Aviv Raff, posted a proof-of-concept exploit to demonstrate how hackers could exploit an older version of WebKit, an open source rendering engine that also powers Apple’s Safari.

Another vulnerability highlighted by researcher, Rishi Narang, could allow a hacker to build a malicious link that includes an undefined handler followed by a certain character. When a user clicks on a link, Chrome would crash.

Another possibility centres on privacy in relation to the auto-suggest feature on Chrome, which privacy advocates fear could give Google a lot of information on what people are doing on the internet, aside from searching.

Google will have access to any keystrokes typed into the browser’s Omnibox, even before a user hits enter.

According to Jupiter Research analyst, John Lovett, writing in a blog, each downloaded browser will maintain a unique ID.

“My first thought on the news brought to mind the Wilco song, Hell is Chrome, and perhaps that’s just what Microsoft and Internet Explorer creators are thinking. The lyrics begin: ‘When the devil came, he was not red. He was chrome…’

“My second thought meandered to the privacy considerations that will be built into the new browser.

“According to early reports, it will allow standard cookies to be dropped on machines via the browser and opt out capacity is possible, much like today’s standard browsers. Each downloaded browser will maintain a unique ID and if users elect to send usage reports to Google, the browser will send crash reports and unfound URL’s to debug and learn more.

“Additionally, opt-in users will benefit from URL suggestions when typing into the browser bar based on Google’s search query knowledge and provide shortcuts to commonly visited sites (ie type ‘c’ return and frequently visited renders cnn.com). ‘Incognito’ mode allows users to surf anonymously without transmitting any pre-existing cookies to sites.

“New cookies will be accepted in incognito mode, yet deleted upon terminating the browser session or returning to normal mode. It will be interesting to see how many users actually exercise this function (insert devious thoughts here). For me, I will likely give it a try just to see if behaviourally targeted ads and content change when I’m running stealth,” Lovett said.

It has also emerged that Google has rescinded an article of Chrome’s user agreement. According to the BBC, the original agreement claimed rights over “any content which you submit, post or display on or through” the browser. Google reworded the agreement yesterday leaving those rights in the hands of Chrome’s users.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com