14 DAY TRIAL // Security researchers from Nightwatch Cybersecurity have discovered a way of crashing Chromium and Firefox browsers on mobile and desktop devices.
Their method relies on using the search suggestions feature that these browsers support. The issue is not a software bug, but a design implementation that allows their attack to be executed.
Most of today's browsers have a search field or allow users to search via the URL address bar. Based on the search engines supported inside the browser, search suggestions can be shown as the user types their query.
2GB search suggestion reply
Nightwatch security experts say that if the browser's search engine provider doesn't protect these search suggestions via an encrypted HTTPS channel, an attacker on the local network can intercept search suggestions queries and answer before the search provider.
An attacker can insert large chunks of data inside this response, which can lead to the browser or the operating system exhausting memory resources and eventually crashing.
The good news is that researchers weren't able to execute malicious code during these crashes, which would have caused more problems for browser makers.
During their tests, researchers managed to crash the Android stock browser on Android 4.4, Chrome 51 on Android 6.01, and Firefox 47 on Ubuntu 16.04. Additionally, they also crashed the entire Ubuntu 16.04 OS when running Chrome 51.
Not a security issue, so a bugfix is coming later during the year
In order for this crash to occur, as mentioned above, users need to use a browser built-in search provider that doesn't employ HTTPS. The list includes Ebay on Firefox, AOL and Ask.com on Chrome, and Bing and Yahoo on Android's stock browser.
Internet Explorer, Edge, and Safari aren't affected by this issue. Safari had to deal with its own search-induced crash at the start of the year, so its reputation is not as clean as you might think.
The Android, Chrome, and Firefox teams declined to classify this bug as a security issue, since it actually isn't, meaning that a fix will be coming later rather than sooner.
