VentureBeat reports on the obscure bug. There are not currently thought to be any security concerns associated with this specific issue, but the cause remains unknown so there may be deeper consequences than have been discovered so far.
The bug was discovered by Andris Atteka who found that Chrome crashes as soon as it encounters a null character in a URL string. Google has not rewarded his find because it is classed as only a denial of service vulnerability instead of a security issue.
Regardless, it remains an annoyance to anybody who encounters it. It would be an easy way to prank an unaware friend by convincing them to open a 16-character link in Chrome.
Example URLs include “http://a/%%30%30”. We are not linking to this address but, if we had, Chrome users would find their browser immediately crashing if their cursor so much as hovered over the link. The same happens when typing the URL into the address bar and pressing Enter.
Chrome briefly displays the “Aw, Snap!” something went wrong page before crashing to the desktop. Windows systems will display the “Google Chrome has stopped working” dialog box. The issue is present in Chrome versions up to stable 45, the latest release edition, and affects both Windows and Mac OS X. Android phones do not appear to be phased by an extra null character in a URL string.
Earlier this year, a bug in Skype was widely reported that would cause the app on Windows, iPhone, iPad and Android to permanently lock-up if it received a specific eight-character message. A similar issue to Atteka’s find was also encountered in Chrome in April. It also crashed the browser when a specific URL was encountered.
This time around, the bug lies in some old code that believes the URL is invalid, according to Atteka in his Chromium issue report. Google has not yet responded and no workaround is known but the chances of this 16-character URL being encountered during normal browsing are effectively non-existent.
