CVE CyberSecurity Database News

CVE-2024-9958 - UI Spoofing Exploit in PictureInPicture Functionality in Google Chrome Prior to Version 130..6723.58

Poster -

Security researchers have discovered an inappropriate implementation in the PictureInPicture (PiP) functionality of Google Chrome versions earlier than 130..6723.58. This vulnerability, with the ID number CVE-2024-9958, allowed a remote attacker to perform User Interface (UI) spoofing through a maliciously crafted HTML page. The Chromium security team has rated this vulnerability's severity as Medium.

In this post, we will discuss the details about the vulnerability, the steps to reproduce it, along with available fixes. We will also include code snippets and links to original references for further understanding.

Exploit Details

UI spoofing refers to an attacker's ability to create deceiving interface elements and trick users into taking unintended actions. In Google Chrome, the PictureInPicture functionality provides a convenient way for users to watch videos in a smaller, scalable, and draggable window while browsing other website content. However, an attacker could exploit the CVE-2024-9958 vulnerability to manipulate the way the Chrome browser renders the PictureInPicture window. By doing so, they might effectively mislead users into believing that they are interacting with genuine content.

The problem lies in an inappropriate implementation of the PictureInPicture functionality in Google Chrome, resulting in the potential for UI spoofing. Here's a code snippet showcasing the vulnerability:

<html>
  <head>
    <script>
      async function startPictureInPicture() {
        const video = document.getElementById("video");
        await video.requestPictureInPicture();
      }
    </script>
  </head>
  <body>
    <video id="video" src="https://path.to/video.mp4"; controls></video>
    <button onclick="startPictureInPicture()">Start Picture-in-Picture</button>
  </body>
</html>

The above code creates a basic web page containing a video element and a button to start the PictureInPicture mode. However, by crafting a malicious HTML page, an attacker could alter the Chrome browser's rendering process and deceive users with a fake UI.

Observe the UI spoofing in action.

Once the steps are completed, the attacker could manipulate the UI further to trick users into performing unintended actions, potentially compromising their security and privacy.

Fixing the Vulnerability

Following the discovery of this vulnerability, the Chromium team has implemented a fix in Google Chrome version 130..6723.58. Chrome users are strongly advised to keep their browser up to date to ensure they are protected against this and other potential security threats.

For more information on the CVE-2024-9958 vulnerability and the fix, you can visit the following links:

- Chromium Security Advisory: https://chromium.googlesource.com/chromium/src/+/refs/tags/130..6723.58/docs/security/fixes.md
- Google Chrome Releases Blog: https://chromereleases.googleblog.com/

Conclusion

The CVE-2024-9958 vulnerability opens up the potential for attackers to perform UI spoofing on users still using Google Chrome versions prior to 130..6723.58. Attackers could exploit this issue via a maliciously crafted HTML page with the PictureInPicture functionality. It is essential to keep your Chrome browser updated to protect your security and privacy from a wide range of threats.

Timeline

Published on: 10/15/2024 21:15:12 UTC
Last modified on: 10/17/2024 20:00:41 UTC