The bug was exposed by Latvia-based software engineer and security researcher Andris Atteka, who shared his discovery in a blog post. In his example, he used a 26-character string to crash Chrome. However, VentureBeat used this 16-character string, which also crashes the browser: http://a/%%30%30
A user doesn’t even have to type or paste the string into their browser address bar – simply hovering over or tabbing to the live link will crash the user’s current tab and any other tab that has the link. Sometimes the link will crash the entire browser.
The issue appears to affect Chrome for Windows, Chrome for Mac, and Chrome for Linux, but not Chrome for Android. It may also affect Opera users, according to a Slashdot comment thread.
Atteka reported the bug to Google but did not receive a bounty because it’s not deemed a security threat. Old code seems to be part of the issue, according to a Chromium team member.
Two similar issues were discovered and fixed earlier this year, VentureBeat notes.
Editors' Recommendations
- Chrome’s take on Nvidia DLSS is set to launch, but you can’t use it yet
- These Chrome extensions will put cash-saving coupons right in your browser
- Spellcheckers in Google Chrome could expose your passwords
- Chrome just added a great new way to protect your passwords
- Your Chromebook now has access to your Android phone’s photos