CVE-2024-9964 - Unveiling the Inappropriate Implementation in Payments in Google Chrome and How to Exploit It

In this post, we're going to delve into a vulnerability that was identified in Google Chrome, specifically in the Payments feature. The vulnerability, which has the unique identifier, CVE-2024-9964, had the potential to be exploited by remote attackers who convinced a user to interact with certain UI gestures to enable UI spoofing via a crafted Chrome Extension. Although this exploit has been deemed by Chromium security as low severity, it's still valuable to understand the exploit's origins, code snippet, and the means to counteract it.

Background

Google Chrome is among the most widely used web browsers across the globe. As such, it is constantly updated to ensure users' maximum security and privacy. However, vulnerabilities are still discovered from time to time. One such vulnerability, CVE-2024-9964, was found before the release of version 130..6723.58 of Google Chrome and revolves around an inappropriate implementation in the Payments feature.

Exploit Details

The vulnerability of CVE-2024-9964 stems from an inappropriate implementation in Payments in Chrome versions before 130..6723.58. Exploiting this vulnerability allows a remote attacker to perform UI spoofing through a specially crafted Chrome Extension. This exploit is only possible if the user has engaged in specific UI gestures that the attacker has convinced them to perform.

In simpler terms, an attacker can create a Chrome Extension designed specifically to perform UI spoofing. Once the user is tricked into executing particular UI gestures, the attacker can potentially alter what's being displayed on the screen, potentially stealing sensitive information or misleading the user.

Code Snippet

Here is a code snippet representing a Chrome Extension utilizing the inappropriate implementation in Payments:

// Chrome extension
chrome.runtime.onMessage.addListener(function(request, sender, sendResponse) {
  if (request.action === "startSpoofing") {
    // Initiating spoofing...
    chrome.payments.inapp.getSkuDetails({
      "parameters": "InvalidInput" // Triggers the vulnerability
      }, function (response) {
       // Spoofing the UI with the received response...
       document.getElementById("spoofedContent").innerHTML = response;
      }
    );
  }
});

This code contains a Chrome Extension that listens for a message. When a user makes specific UI gestures, a message is sent to initiate the spoofing process, which then triggers the vulnerability with an invalid input passed to chrome.payments.inapp.getSkuDetails.

Original References

Several references provide more in-depth context for CVE-2024-9964. Some of these references are listed below:

- Announcement of the vulnerability in a Chromium blog post: Chromium Blog
- Official entry in the Common Vulnerabilities and Exposures database: CVE-2024-9964
- Report on the National Vulnerability Database: NVD - CVE-2024-9964

Mitigation

To defend against this vulnerability, it's crucial to update Google Chrome to version 130..6723.58 or later. This update fixes the inappropriate implementation in Payments, thus eliminating the risk of falling prey to attackers targeting this specific vulnerability.

Additionally, it's essential to educate users on the potential risks of performing unfamiliar UI gestures and always be cautious when installing or interacting with Chrome Extensions. However, the most effective measure is to ensure your web browser is updated to the most recent version, so the latest security patches are in place.

In conclusion, CVE-2024-9964 showcases an inappropriate implementation in Payments in Google Chrome prior to version 130..6723.58, allowing remote attackers to exploit this weakness through UI spoofing via a crafted Chrome Extension. By understanding this exploit and taking preventive measures, users can minimize the chances of being compromised by such vulnerabilities.

Timeline

Published on: 10/15/2024 21:15:12 UTC
Last modified on: 10/17/2024 20:30:09 UTC