The Picture In Picture (PiP) feature in Google Chrome has become a favorite among users as it allows them to watch videos and multitask on other pages seamlessly. However, a recent security flaw has been discovered in Chrome's PiP implementation that could be exploited by remote attackers to display counterfeit URLs in the browser's Omnibox, potentially resulting in phishing attacks or misleading users into visiting malicious sites. This vulnerability, dubbed CVE-2023-2937, affects Google Chrome versions prior to 114..5735.90.
In this long-read post, we'll dive into the technical details of this vulnerability, describe how an attacker could exploit it, and provide information on mitigating the risk. We will also include code snippets, links to original references, and other pertinent information.
Vulnerability Details
The CVE-2023-2937 vulnerability lies in an inappropriate implementation of the PiP feature in Google Chrome's renderer process. This oversight allows a remote attacker who has compromised the renderer process to spoof the contents of the Omnibox (URL bar) by using a specially crafted HTML page. The Chromium project, which is the open-source platform upon which Google Chrome is built, has classified the security severity of this issue as "Medium".
To better understand this vulnerability and how it might be exploited, let's take a look at a code snippet that demonstrates the creation of a malicious HTML page:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.">
<title>Malicious PIP Page</title>
</head>
<body>
<video id="videoElement" src="https://example.com/video.mp4"; controls></video>
<script>
const videoElement = document.getElementById('videoElement');
const piPButton = document.createElement('button');
piPButton.textContent = 'Enable Picture In Picture Mode';
piPButton.addEventListener('click', async () => {
try {
await videoElement.requestPictureInPicture();
// Attacker's code to spoof Omnibox contents
} catch (error) {
console.error('Error enabling PiP mode:', error);
}
});
document.body.appendChild(piPButton);
</script>
</body>
</html>
In this example, we have a simple HTML page with an embedded video and a button to enable the PiP mode. The problem occurs when an attacker inserts malicious JavaScript code after the await videoElement.requestPictureInPicture(); line. This malicious code can change the appearance of the URL displayed in the Omnibox, causing the user to believe they are visiting a legitimate website when, in fact, they are on a fake page.
Mitigation
This vulnerability has been addressed and fixed in Google Chrome version 114..5735.90. Chrome users should make sure their browser is updated to this version or a later release to avoid potential exploitation.
For more information on this security issue, you can consult the following references from the Chromium project:
1. CVE-2023-2937 Details: https://crbug.com/1373007
2. Chromium Security Severity: https://www.chromium.org/Home/chromium-security/security-severity
Conclusion
The CVE-2023-2937 vulnerability serves as a reminder of how important it is to stay informed about potential security risks and keep your software up-to-date. By updating Google Chrome to the latest version, you can protect yourself against this specific Omnibox spoofing exploit. Don't forget to always pay attention to the URLs displayed in your browser, especially when entering sensitive information or visiting unfamiliar websites.
Timeline
Published on: 05/30/2023 22:15:00 UTC
Last modified on: 06/02/2023 03:11:00 UTC