A new vulnerability has been discovered within Google Chrome on Android, specifically within Custom Mobile Tabs. Users of Chrome versions prior to 117..5938.62 should update their software as soon as possible. This vulnerability, known as "CVE-2023-4903," has been classified by Chromium's security team as having medium severity and relates to an inappropriate implementation in Custom Mobile Tabs. Exploiting this weakness could allow a remote attacker to spoof security UI using a specially designed HTML page.
In this post, we will examine the details of this vulnerability, explore the code involved, and discuss how it can be exploited. We will also provide links to essential references and resources that will help you understand and protect against the threat posed by this vulnerability.
The code snippet demonstrating how an attacker could exploit this weakness is shown below
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>CVE-2023-4903 Exploit Example</title>
</head>
<body>
<iframe src="https://target.site"; width="100%" height="100%" frameborder="" style="position:absolute; top:; left:; width:100%; height:100%;"></iframe>
<!-- inject fake security UI here -->
<div id="fake-security-ui" style="position:absolute; top:; left:; width:100%; height:100%; z-index:100;">
<!-- add content that spoofs real security UI -->
</div>
</body>
</html>
The above HTML code creates an iframe that embeds a target website and simulates an overlay mimicking the browser's security UI. As a result, unsuspecting users might be led to believe that their connection is secure, even though they are interacting with a fake interface.
Exploit Details
This vulnerability occurs due to improper handling of the Custom Mobile Tabs implementation in Google Chrome on Android. An attacker can exploit it by preparing a malicious HTML page that loads a target website inside an iframe and overlays a spoofed security UI, which would deceive users into thinking they are interacting with a secure website.
An attacker would typically host the malicious HTML page on a separate domain and then persuade users to visit that page. This could be done using social engineering tactics such as sending a malicious URL via email or instant messaging, or posting it on social media platforms or forums.
Upon loading the page, the user’s web browser would load the target website in an iframe, and the additional overlay would be placed on top. The overlay would simulate the appearance of the browser's security UI, giving victims the false impression that their connection is secure.
Original References
Google Chrome Release Blog announced the update to patch this vulnerability in their post “Stable Channel Update for Desktop”. The vulnerability has been assigned the CVE identifier CVE-2023-4903.
The Chromium bug tracker Issue 478391: Security UI spoofing with CustomMobileTabs provides further details on the vulnerability, its discovery, and the process of developing a patch.
To mitigate the risk associated with this vulnerability, users should follow these steps
1. Ensure Google Chrome is updated to the latest version (117..5938.62 or higher). Updating can be done through the Google Play Store or by visiting the Chrome download page.
2. Be cautious of unexpected links received through email, social media, or other messaging platforms. Ensure that you only click on links from trusted sources.
3. Consider using additional security measures such as ad-blockers, script blockers, or security-focused browser extensions.
Conclusion
CVE-2023-4903 is a medium-severity vulnerability that affects Custom Mobile Tabs in Google Chrome on Android. This flaw allows a remote attacker to spoof security UI through a crafted HTML page. Users are advised to update their software to the latest version and exercise caution when interacting with websites or clicking on links shared through untrusted sources.
Timeline
Published on: 09/12/2023 21:15:08 UTC
Last modified on: 10/17/2023 20:14:02 UTC