A simple URL string can apparently crash Google Chrome instantly — and simply hovering the cursor over such a link will do the trick.
Just recently, Skype was plagued by a similar problem, as a vulnerability caused a crash from a common text string: "http://:" that could easily be typed by mistake when trying to manually enter a web address. This string caused Skype to instantly crash on the recipient's device, without even displaying the message.
A new bug now affects Google's Chrome browser in a like manner, as Andris Atteka points out in a new blog post. Just as with the Skype bug, this crash bug in Google Chrome occurs with a simple URL string. All it takes is a NULL char in the URL string and Chrome instantly crashes.
Atteka gives as an example of the URL string http://biome3d.com/%%30%30 — simply hovering over this example crashed the Chrome tab it was in. The URL string doesn't cause a crash when hovering over it in this article because we intentionally left it in plain text.
The example URL string contains 26 characters, but the crash works with an even shorter string. Removing 10 characters from Atteka's link and keeping just http://b/%%30%30 does the trick as well, and to a greater extent. While Atteka's 26-character URL string crashed just the tab, the 16-character string crashes Chrome altogether — all windows and all tabs.
Atteka reported the Chrome crash bug to Google but it appears that it's not really a security threat.
"It seems to be crashing in some very old code. In the Debug build, it's hitting a DCHECK on an invalid URL in GURL, deep in some History code," explained developer firstname.lastname@example.org in response to Atteka's finding. "Given that it's hitting a CHECK in the Release build, I don't think this is actually a security bug, but I'm going to leave it as such."
Atteka further noted that he didn't receive any reward for this finding because it was "deemed to be only a DOS vulnerability."
Lastly, it's worth pointing out that this crash bug affects Google Chrome 45, which is the last stable version of the browser. The mobile version of Chrome, meanwhile, seems to be unaffected, as it doesn't crash with either of the two URL string examples.