(no title)

A few months ago Google fixed a vulnerability on the inline installation. It was possible to start a install on the attacker's website and then redirect the page to an arbitrary one. This would confuse the user, making him believe that the install came from the arbitrary page.

Here is the PoC if anyone is interested (CVE-2016-1640): https://www.youtube.com/watch?v=f_9ObDqBoo8