Google Chrome's plan to hide URLs hits a snag
Chrome's "origin chip" feature, which hides URLs in the browser's location bar, may be vulnerable to lengthy Web addresses.
Displaying a website's full URL in the location bar goes back to the first days of Web browsers. Google is exploring getting rid of full URLs in Chrome, but security firm PhishMe appears to have found a flaw in Google's plan only days after it showed off the change.
Google calls the feature the "origin chip." It would replace a full URL in the location bar with a highlighted, visually emphasized version of a website's main domain -- "cnet.com," for example, instead of a full address such as "http://www.cnet.com/news/google-chrome-continues-to-outpace-firefox/" that exactly describes a page's location on the Web.
Selecting the location bar would reveal the full URL, so it's still accessible, and the origin chip must be manually activated in Chrome Canary, a build of the browser meant for testing new features.
Despite those caveats, PhishMe discovered what it's calling a security vulnerability in the origin chip feature. PhishMe researchers Aaron Higbee and Shyaam Sundhar said the feature will obfuscate URLs to such a point that "even security savvy users who have been trained to recognize malicious URLs will be at risk."
"We've discovered that if a URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text 'Search Google or type URL,'" the pair wrote on Tuesday. "While Canary is intended to help the user identify a link's true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL."
The problem is serious, the PhishMe duo said, because many phishing attacks can only be foiled by the end-user's ability to look at a URL and determine it to be misleading. Hiding the full URL will make it harder to differentiate legitimate websites from malicious ones.
URLs tested that were 30 to 40 characters long, and 60 to 70 characters long, were shortened as Google intended: The origin chip would remove all but the domain from the URL bar and highlight it. However, when they tested a URL of 110 to 120 characters in length, the origin chip was unable to show the domain name and instead showed an empty "omnibox," Google's term for its combined search/location box.
"[I]f the character length goes beyond 98 characters the Origin Chip will not display any URL," they wrote. The flaw affects main domains such as cnet.com; subdomains such as news.cnet.com; and multilevel subdomains such as security.news.cnet.com.
Another twist to the flaw that the researchers discovered is that the origin chip's length is dependent on the browser size, so that the character length limits change depending on how you've sized your browser. In desktop situations where you can run two browsers side-by-side, you potentially could see even fewer location bar URLs.
The feature is controversial even inside Google, where a bug has been filed to remove the feature from Chrome before it reaches the browser's most popular version, the Stable build.
When asked to comment on the research, Google appeared to not be concerned with its findings. A Google spokesperson described the origin chip to CNET as "an experiment."