CVE-2024-7975: UI Spoofing Vulnerability in Permissions for Google Chrome prior to 128..6613.84

The Common Vulnerabilities and Exposures (CVE) system has assigned CVE-2024-7975 to a recently discovered vulnerability in Permissions for Google Chrome prior to version 128..6613.84. This security issue allows a remote attacker to perform UI spoofing on a victim's browser via a maliciously crafted HTML page. In this post, we will detail the nature of the vulnerability, provide a code snippet for demonstration purposes, and link to original references and exploit details.

Exploit Details

The vulnerability, classified as "Medium" severity by Chromium security, stems from an inappropriate implementation in Permissions in Google Chrome versions prior to 128..6613.84. This flawed implementation can be exploited by a remote attacker who can prompt the user to interact with a malicious HTML page that takes advantage of the bug.

To exploit the vulnerability, an attacker could craft an HTML page that triggers the affected versions of Chrome to display a spoofed user interface. This malicious UI may look like a legitimate Chrome permission prompt, making it difficult for the user to differentiate between genuine and spoofed permission requests.

Code Snippet

The following code snippet demonstrates an example of a spoofed HTML page mimicking a permission prompt:

<!DOCTYPE html>
<html>
<head>
<style>
  body {
    background-color: #f8f9fa;
  }
  .spoofed-permission-prompt {
    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
    position: fixed;
    top: 10%;
    left: 50%;
    width: 300px;
    padding: 10px;
    background-color: white;
    border: 1px solid #dadce;
    box-shadow:  1px 6px rgba(32,33,36,.28);
    transform: translateX(-50%);
  }
  /* ... other CSS styles ... */
</style>
</head>
<body>
  <div class="spoofed-permission-prompt">
    <h2>Allow example.com to send notifications?</h2>
    <!-- ... other HTML elements ... -->
    <button type="submit">Allow</button>
    <button type="submit">Block</button>
  </div>
</body>
</html>

Please note that the provided code snippet is only for demonstration and educational purposes and should not be used for malicious purposes.

Original References and Links

1. Official CVE Details
2. Chromium Issue Tracker
3. Google Chrome Security Release Notes

Mitigation

Users are advised to update their Google Chrome browser to version 128..6613.84 or later, which contains the necessary patches to address this vulnerability. To check the current version of your browser, navigate to chrome://settings/help or click on the "About Google Chrome" option from the browser's menu.

Conclusion

CVE-2024-7975 is a noteworthy vulnerability that can potentially lead to UI spoofing attacks. However, it has been patched in Google Chrome version 128..6613.84 and later. Users should ensure they are running the latest version of Chrome and remain cautious when interacting with unfamiliar web pages to reduce the risk of exploitation.

Timeline

Published on: 08/21/2024 21:15:09 UTC
Last modified on: 08/22/2024 17:40:09 UTC