Home page logo
/

bugtraq logo Bugtraq mailing list archives

Quick update on Google Chrome's Math.random() predictability by Amit Klein, Trusteer
From: Amit Klein <amit.klein () trusteer com>
Date: Tue, 16 Nov 2010 06:05:46 -0600

Hi list,

This is a quick update regarding Google Chrome's Math.random implementation and its vulnerability. Our original results 
with Google Chrome 3.0 and above don't hold as-is for Google 6.0 and above due to a change introduced in the Google 
Chrome Math.random implementation. However, the attack algorithm can be modified to take this change into account, so 
the vulnerability is still in effect. As reported earlier, it is possible to read application states across domains, 
thus enabling for e.g. in-session phishing. This was reported to Google's security team earlier this year, which 
responded by stating that there is no ETA for a fix and we're free to publish our results. 

For additional details, please read the full paper at:
http://www.trusteer.com/sites/default/files/Google_Chrome_6.0_and_7.0_Math.random_vulnerability.pdf

Thanks,
-Amit
Amit Klein, CTO, Trusteer


  By Date           By Thread  

Current thread:
  • Quick update on Google Chrome's Math.random() predictability by Amit Klein, Trusteer Amit Klein (Nov 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault