Google's Latest Feature Has A Huge Security Hole

Google’s goofy plan to stop displaying website URLs in the Chrome browser hit a bump in the road on Tuesday when it was discovered that, in addition to being hated by many Chrome users, the feature would also pose a significant security risk. The security firm PhishMe found that the change, which has been rolled out to a small number of Chrome users, can easily be exploited to trick users into giving away sensitive information to malicious websites. Even tech-savvy users would be at risk, giving Google yet another reason to pull the plug on a feature that, frankly, nobody asked for in the first place.

Displaying the URL of the website you’re browsing is one of the few aspects of the online experience that hasn’t changed since the mid-1990s. But in early May, Google announced “origin chip,” a feature that replaces the full URL of websites in Chrome with a shortened shortened display of just the site’s domain name. So, for example, listings on Amazon.com wouldn’t appear as “http://www.amazon.com/Out-Season-Beth-Gibbons-Rustin/dp/B00299FV4K/ref=sr_1_1?s=dmusic&ie=UTF8&qid=1399595724&sr=1-1&keywords=Beth+Gibbons+%26+Rustin+Man" but simply “Amazon.com."

It seems pretty unnecessary; after all, is it really that hard to look at the beginning of a URL to figure out which website you’re on? But the bigger issue is that, as currently designed, origin chip won’t display any website name at all if the URL is more than 98 characters, thus allowing password thieves to construct intentionally lengthy URLs for scam websites in order to avoid detection by Chrome.

"While [it] is intended to help the user identify a link's true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL,” PhishMe wrote on Tuesday.

Google’s idea was to only roll out the change to users of Canary, the experimental version of Chrome; however, a bug resulted in certain users of the standard Chrome browser receiving the origin chip feature, prompting Google to release a fix. It’s worth noting that, according to Google, origin chip is still just an “experiment,” and won’t necessarily be included in future versions of Chrome. Tuesday’s news is one big reason to hope that it never is.