CVE CyberSecurity Database News

CVE-2023-5859: Domain Spoofing Vulnerability in Picture-In-Picture Feature of Google Chrome

Poster -

Google Chrome is one of the most widely used web browsers around the world, and its security is of utmost importance to users. Recently, a new vulnerability was discovered in the Picture-in-Picture (PiP) feature of Google Chrome prior to version 119..6045.105. This vulnerability, with the identifier CVE-2023-5859, allows remote attackers to perform domain spoofing via a crafted local HTML page. Although classified by Chromium security as a low-severity issue, it is still essential to understand this vulnerability and protect your system from potential exploitation.

Vulnerability Details

The vulnerability stems from incorrect security UI implementation in the PiP feature in Google Chrome prior to version 119..6045.105. By exploiting this flaw, a remote attacker can trick users into believing they are viewing content from a trusted website when, in reality, the content is originating from a malicious domain. The attacker can achieve this by crafting a local HTML page within the user's system. This deceptive technique can be employed to launch phishing attacks and steal sensitive user information such as login credentials and personal data.

To better understand the vulnerability, let's take a look at a code snippet illustrating the exploit

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2023-5859 PoC</title>
</head>
<body>
  <video id="videoElement" src="your-video-source" controls></video>
  <script>
    document.getElementById("videoElement").addEventListener("loadedmetadata", function() {
      this.requestPictureInPicture();
    });
  </script>
</body>
</html>

In this code snippet, a video element is created with the source of the video from the attacker. When the video is loaded, an event called loadedmetadata is triggered, which in turn calls the requestPictureInPicture() function. This function enables the PiP mode, allowing the attacker to exploit the aforementioned vulnerability.

For more information on this vulnerability, you can refer to the following resources

1. Chromium Bug Tracker: Issue 1319911
2. Chrome Release Notes: Google Chrome 119..6045.105 Stable Channel Update
3. CVE Details: CVE-2023-5859

How to Mitigate the Vulnerability

Since the vulnerability exists in Google Chrome prior to version 119..6045.105, the recommended course of action is to update your web browser to the latest stable version. Google has addressed this vulnerability in the latest stable release, and updating your browser will ensure that your system is no longer susceptible to this domain spoofing exploit.

Conclusion

While the CVE-2023-5859 vulnerability has a low severity classification, it is essential for users and businesses to update their systems to protect against potential exploitation. By understanding the details of the vulnerability and taking appropriate steps to mitigate the risk, users can continue to enjoy the convenience of Google Chrome's popular Picture-in-Picture feature without the worry of domain spoofing and potential phishing attacks.

Timeline

Published on: 11/01/2023 18:15:10 UTC
Last modified on: 11/14/2023 03:15:12 UTC