Hello readers! Today's discussion is focused on an issue that has affected Google Chrome, specifically in an earlier version, prior to 117..5938.62. A vulnerability was identified in the Picture in Picture (PiP) mode, allowing a remote attacker to spoof security UI through a maliciously crafted HTML page. Although the Chromium security severity is labeled as 'Low,' it's essential to understand the scope of this vulnerability and how it may affect users.

The Vulnerability: CVE-2023-4908

CVE (Common Vulnerabilities and Exposures) unique identifier: CVE-2023-4908

Severity: Low

Affected Component: Picture in Picture in Google Chrome

Affected Versions: Prior to 117..5938.62

Description: In Google Chrome, an inappropriate implementation was discovered in Picture in Picture (PiP), which allowed a remote attacker to spoof security UI through a crafted HTML page. By leveraging this vulnerability, an attacker could potentially trick users into providing sensitive information, thinking that they are interacting with a legitimate webpage.

The Exploit in Detail

To exploit this vulnerability, an attacker would create a malicious HTML page that misuses the PiP feature of Google Chrome. By doing so, the attacker could manipulate the visual representation of the security UI, making it show false or misleading information to the user.

Here is a simplified example of a possible code snippet that an attacker might use in a crafted HTML page to implement this exploit:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <title>CVE-2023-4908 Exploit</title>
  </head>
  <body>
    <video id="myVideo" controls>
      <source src="sample-video.mp4" type="video/mp4" />
      Your browser does not support HTML5 video.
    </video>

    <script>
      const videoElement = document.getElementById("myVideo");

      videoElement.addEventListener("loadedmetadata", () => {
        const pipWindow = new PiPWindow(videoElement);

        // Malicious code to spoof security UI
        maliciousSpoofSecurityUI(pipWindow);
      });
    </script>
  </body>
</html>

In this example, the attacker utilizes the PiPWindow object to interact with the video's PiP mode. By modifying or injecting malicious code into the maliciousSpoofSecurityUI function, the attacker aims to alter the security UI's visual representation.

Original References & Patch

The vulnerability is documented and reported in the official Chromium Issue Tracker as Issue 1250887.

To mitigate this vulnerability, Google Chrome users should make sure their browser is updated to version 117..5938.62 or later. Users can check their browser version by following these steps:

Hover over Help, then click on About Google Chrome.

3. The browser will display its version, and if an update is available, it will automatically update and prompt the users to restart the browser.

Conclusion

In conclusion, CVE-2023-4908 is a low-severity vulnerability affecting Google Chrome's Picture in Picture (PiP) feature. The inappropriate implementation enables a remote attacker to spoof the security UI via a maliciously crafted HTML page. Fortunately, users can protect themselves by updating their browser to version 117..5938.62 or later. Be sure to keep your browser up-to-date and stay informed about potential security vulnerabilities to ensure a safe browsing experience!

Timeline

Published on: 09/12/2023 21:15:09 UTC
Last modified on: 10/17/2023 20:02:51 UTC