Google Chrome Google URL Cross Domain Security Bypass Vulnerability

Bugtraq ID:	39813
Class:	Origin Validation Error
CVE:	CVE-2010-1663
Remote:	Yes
Local:	No
Published:	Apr 27 2010 12:00AM
Updated:	May 19 2010 03:52PM
Credit:	Jordi Chancel
Vulnerable:	Google Chrome 4.1.249 1059 Google Chrome 4.1.249 1036 Google Chrome 4.1.249 .1045 Google Chrome 4.1.249 .1042 Google Chrome 4.0.249 .89 Google Chrome 4.0.249 .78
Not Vulnerable:	Google Chrome 4.1.249 1064

Google Chrome Google URL Cross Domain Security Bypass Vulnerability

Google Chrome is prone to a cross-domain security-bypass vulnerability.

An attacker can exploit this vulnerability to bypass the same-origin policy. Other attacks are also possible.

Versions prior to Chrome 4.1.249.1064 are vulnerable.

NOTE: This issue was previously covered in BID 39603 (Google Chrome prior to 4.1.249.1059 Multiple Security Vulnerabilities) but has been assigned its own record to better document it.

Google Chrome Google URL Cross Domain Security Bypass Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage.

The following examples are available:

• /data/vulnerabilities/exploits/39813.html

Google Chrome Google URL Cross Domain Security Bypass Vulnerability

Solution:
Vendor updates are available. Please see the references for details.

Google Chrome Google URL Cross Domain Security Bypass Vulnerability

References:

• Google Chrome 4.1.249.1064 has been released to the Stable channel on Windows (Google)
  
• Google Chrome Homepage (Google)
  
• Issue 40445 - chromium - Cross Origin Bypass using iframe & " " on JAVASCRIPT UR (Jordi Chancel)