Crash Google Chrome with 16 characters

New magic words are a lot like old magic words, except they make the internet flail around and die. Put the URL below in the address bar of the latest version of Chrome and your browser will splutter and crash.

Abracadabra. Open sesame. Izzy wizzy, let's get busy. http://a/%%30%30

We've tested the buggy URL in both Chrome Version 45.0.2454.93 for Windows and Mac and in both cases the browser crashed. It's also reported to affect Opera 32.0. Android's Chrome seems to be okay, as does Safari, Internet Explorer and Firefox.

The bug seems to be only a denial-of-service vulnerability rather than a fully fledged security issue, but it could understandably cause problems for people.

What's making this happen? The fault seems to be some old code in Chrome. Security researcher Andris Atteka, who discovered the bug, reported the issues to Chrome via Chromium Issue and received this explanation in response:

“It seems to be crashing in some very old code. In the Debug build, it's hitting a DCHECK on an invalid URL in GURL, deep in some History code. Given that it's hitting a CHECK in the Release build, I don't think this is actually a security bug, but I'm going to leave it as such.”

Chrome-killing game

GitHub user Sean Zhu has already made a game from the bug, which you can play here. Use your cursor to follow the trail of bears. If you touch a "deadly tree", your browser will crash. As you'd expect, the game only works (and breaks) on Chrome.

Skype was beset by a similar issue in June, with 8 characters causing the service to crash if typed into the message box. Before this, Apple suffered from an iMessage bug, with a string of specific Unicode characters causing iPhones, iPads and iPod Touches to crash.

Google hasn't yet released a patch, but is working at getting one up as soon as possible. Expect to see a minor update to the browser soon. In the meantime, you can follow some developer discussion of the problem over at the Chromium bug tracker site.