The Google Chrome team has finally decided to fix an address spoofing bug after keeping the issue under consideration for more than a month. This potential security threat was brought into notice in the start of June by a UK Security firm researcher, David Leo. According to Leo, when a new page is loaded by Chrome, the content of previous page remains for a while. Some other experts also indicated that the address spoofing bug can also be exploited for spoofing HTTPS websites.
When Google was initially informed, it did not consider it as a problem because according to them, users are unable to have any interaction with the spoofed content. The bug was said to be “render denial-of-service” by Chrome developers who claimed that it could not be exploited to carry a phishing attack.
Google was informed of this issue on June 7, but the search giant initially said it was not a security problem because users cannot interact with the spoofed content.
Security experts, however, are of a different view. According to Sijmen Ruwhof, an IT Security Consultant, this bug can enable the creation of a phishing page that is used for user interaction and exploiting the bug to momentarily put the targeted URL on display. The phishing page can then be reloaded after a few seconds, which allows cyber attackers to gather the user data.
Another possibility was suggested by IT security consultant Sijmen Ruwhof. It is to create a regular phishing page that allows user interaction and make it exploit the spoofing bug to temporarily display the targeted website’s official domain. After a few seconds, the original phishing page can be loaded again, allowing cybercriminals to harvest the user’s data. “After two seconds the impersonification process is stopped, enough time for a user to validate the URL bar and identity of the web site and start filling in forms,” Ruwhof said.
After a long debate of one month, chrome developers have agreed that the bug presents a security threat and should be fixed. The Chrome Address Spoofing Bug seems to have been there for many years as it was reported by a researcher in 2012 as well but could not get this bug fixed by Google at that time.