Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Chrome 6, Pays $4337 In Bounties

Posted by timothy on from the working-in-the-background dept.

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.) Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

17 of 177 comments (clear)

  1. Crazy Article by bipbop · · Score: 4, Funny

    I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

    1. Re:Crazy Article by TooMuchToDo · · Score: 4, Funny

      Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

      I kid!

  2. Re:Where's the love for the Mac passwords? by Netshroud · · Score: 4, Informative

    Chrome already uses the Keyring... at least it does for me.

  3. Re:Version bloat by ksandom · · Score: 3, Funny

    In 2015.... Chrome 256 released!

    --
    Funnyhacks - Wierd, unusual, and fun hacks
  4. Re:Version bloat by rezonat0r · · Score: 4, Informative

    I'm guessing you missed their highly re-reported blog post regarding the new release schedule.

  5. Re:Print Preview? by Anonymous Coward · · Score: 5, Informative

    no, no and yes

  6. Re:Wheel of Bug Chasers! by bonch · · Score: 5, Insightful

    Give me a break. You turn a bug bounty into a statement on American values. Your gameshow references are completely baseless and random. What a load of crap!

  7. Re:$4,337 from a multi-billion dollar company? by LingNoi · · Score: 4, Informative

    Since you're not going to RTFA or even the summary i'll repost it here..

    includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.

    The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version.The highest bug bounty, $1337, was paid for an integer error in WebSockets found by Keith Campbell. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team.

  8. Aeet? by Anonymous Coward · · Score: 5, Funny

    First thing I thought when I saw 4337 was "What the fuck is Aeet?"

  9. Re:Wheel of Bug Chasers! by kdub432 · · Score: 3, Insightful

    This is one of the dumbest arguments I've ever seen on slashdot.

  10. Re:Print Preview? by Urza9814 · · Score: 3, Interesting

    Uhh...my Chromium 5 for Linux has print preview and proper flash support. And the same file download behavior as browsers like Firefox - I open a file the browser doesn't handle, it downloads to the folder I've specified for downloads. How is that a problem? As I said, it's the same thing Mozilla does. I don't _want_ a browser to just start deleting my downloads on it's own. If I tell it 'yes, download this file', that file should stay where it is until I decide to delete it.

  11. Re:Wheel of Bug Chasers! by Tubal-Cain · · Score: 3, Informative

    Mozilla also pays bug bounties.

  12. Linux Logins by idcard_1 · · Score: 5, Interesting

    FYI your linux logins on Ubuntu are stored in this file: /home/username/.config/google-chrome/Default/Login\ Data just do "strings Login\ Data" and you have those passwords. :(

  13. Re:Version bloat by dougisfunny · · Score: 4, Funny

    They figure once they get to 6 they can coast for years.

    --
    This is not the funny you're looking for.
  14. And it's ACID3 compliant! by VincenzoRomano · · Score: 3, Informative

    At least the Linux version for x86_64.
    Try it

    --
    Maybe Computers will never be as intelligent as Humans.
    For sure they won't ever become so stupid. [VR-1988]
  15. Re:$4,337 from a multi-billion dollar company? by sco08y · · Score: 4, Funny

    The highest bug bounty, $1337

    $1337? Oh come on!

    Well, $5318008 was a bit much.

  16. Re:Wheel of Bug Chasers! by Dhalka226 · · Score: 4, Insightful

    Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars

    And yet they did. That must really shake your world view.

    Believe it or not, when normal people discover a vulnerability and their options are "run a bonet" and "tell the manufacturer," most of them tell the manufacturer. Getting $1000 for it is an added bonus, not the incentive to action.

    True, it's not going to create a whole new generation of professional bug bounty hunters living off their bounties, but that was never the intent. If they wanted to hire an army of extra bug hunters they'd put you on the payroll. If you're looking to get rich, do something else. If you're into it for the challenge or to be helpful or you happen to be mucking about with their browser as part of your day job, make a little extra money as Google's way of saying "thank you" for doing the right thing and helping them to make their free product--one you evidently use, if you're finding bugs in it--a better one.

    If that's not good enough for you, well, fine. Don't look for bugs. Don't pass Go, don't collect $1,000. Your time is apparently better spent trying to get yourself a spot on Wheel of Fortune.