This string of 16 characters will crash Chrome
By Jason Hahn — September 20, 2015
This is not Google’s finest hour: Following on the heels of news that hacking Android Lollipop is as easy as typing a long string of characters comes word that a string of 16 characters can crash Google’s Chrome web browser — and you don’t even have to type it into the address bar.
The bug was exposed by Latvia-based software engineer and security researcher Andris Atteka, who shared his discovery in a blog post. In his example, he used a 26-character string to crash Chrome. However, VentureBeat used this 16-character string, which also crashes the browser: http://a/%00
A user doesn’t even have to type or paste the string into their browser address bar – simply hovering over or tabbing to the live link will crash the user’s current tab and any other tab that has the link. Sometimes the link will crash the entire browser.
The issue appears to affect Chrome for Windows, Chrome for Mac, and Chrome for Linux, but not Chrome for Android. It may also affect Opera users, according to a Slashdot comment thread.
Atteka reported the bug to Google but did not receive a bounty because it’s not deemed a security threat. Old code seems to be part of the issue, according to a Chromium team member.
Two similar issues were discovered and fixed earlier this year, VentureBeat notes.
