Remember when it took just eight characters to crash Skype? Apparently it takes double that to take out Chrome: Typing in a 16-character link and hitting enter, clicking on a 16-character link, or even just putting your cursor over a 16-character link will crash Google’s browser.
The bug was discovered by Andris Atteka, who explained on his blog that you can easily trip up Chrome just by adding a null character in the URL string. His example was 26 characters long, but we have managed to shave off 10 characters to produce an even simpler string that will crash Chrome.
To try it yourself, fire up Chrome 45 (the latest stable version) or older and put this into your address bar:
Either your Chrome tab or the whole Chrome browser will crash.
Atteka reported the bug to Google today (Chromium issue). Here’s the technical explanation of what’s happening:
It seems to be crashing in some very old code. In the Debug build, it’s hitting a DCHECK on an invalid URL in GURL, deep in some History code. Given that it’s hitting a CHECK in the Release build, I don’t think this is actually a security bug, but I’m going to leave it as such.
Atteka did not receive a bounty from Google because this is not a security threat, per se. Still, it’s easy to see how the bug could be abused to impact many Chrome users.
Hovering your cursor over the link will crash your Chrome tab as well, along with every other tab like it. Try it yourself by opening Atteka’s blog post or the Chromium report in a few tabs and putting your cursor over the example link provided. The only reason the above example doesn’t work is that we purposefully didn’t hyperlink it so that you could read this article in peace.
In our tests, Chrome for Windows and Chrome for Mac are both affected. Interestingly, I couldn’t reproduce this bug in Chrome for Android. No matter where I inserted the null character, the browser refused to crash on my phone.
This isn’t the first time a link has been discovered that could instantly crash Chrome. A similar issue was discovered just for Mac in March and another wasdiscovered for all desktop platforms in April. Both were quickly fixed.