This 13-Character String Will Kill Chrome Dead – But Only on OSX
Monty Python’s world’s deadliest joke might be a work of fiction, but Chrome has a flaw which is just as deadly.
VentureBeat reports that a newly discovered bug in the Chrome web browser has the potential, like the world’s deadliest joke, to kill Chrome browser tabs. The bug is a 13-character string which, when loaded on a web page, crashes the tab.
Here’s an image of the characters:
This bug doesn’t work on the Windows or Android versions of Chrome (or in any other web browser), but it does reportedly crash the OSX version of Chrome.
It’s not clear why the string crashes Chrome or what it says, but after some Googling I can report that the language appears to be Aramaic. A couple of the words were found in what I _think_ is the Aramaic section of Wikipedia, and the characters resemble characters in a sample image on the related language page in Wikipedia.
I’m trying to contact the original bug finder in order to get some background, but all I have right now is the sparse but amusingly straightforward bug report:
What steps will reproduce the problem?
1. Any page with [removed so this article loads for everyone] will crash the Chrome tab on a Mac
2. Just create any dummy page with the unicode characters, and the Mac Chrome tab will crash hardWhat is the expected result?
Expect it not to crashWhat happens instead?
It crashes
I don’t have a Mac myself, but VentureBeat says that they tested the bug and can confirm that it does happen – most of the time.
In a few cases, the characters fail to render and users instead see 13 blank rectangles (????? ??? ?????). In my experience, those rectangles are only shown when a web browser tries to display characters using a font which it doesn’t support.
Fonts are a tricky thing, and this isn’t the first time that a unique string of characters has crashed an app. I recall that back in 2013 a developer identified a gibberish string of Arabic characters which could crash any OSX or iOS app which used Apple’s CoreText API to render text.
Ars Technica reported at the time that the bug affected many apps, including Chrome, but only apps which relied on Apple to render the font. Firefox, for example, was immune.
I missed that bug two years ago, and I am financially secure from encountering the current bug, but I would be interested in reading any first-hand accounts.
Have you encountered either bug? Did it crash your web browser?
Comments
Karl March 22, 2015 um 8:20 pm
Why go to all the trouble of entering this string of weird-ass characters? Trust me, there are lots and lots and lots of easier ways to get Chrome to crash.
Nate Hoffelder March 23, 2015 um 9:58 am
Yes, as we saw at the Pwn2Own competition this past week, there are other ways to crash Chrome. But are any of those easier ways as simple and elegant as this character string?
Robert March 23, 2015 um 9:08 am
Naturally, I immediately clicked on the bug link to see if it was true. Yep, it blows up the tab. Interestingly, it does NOT happen in OSX Chrome Canary, their 64-bit beta browser.