Google has patched this vulnerability in Google Chrome Stable channel. Users are advised to update their installations as soon as possible. In addition to that, users should keep a close eye on their Autofill implementation and verify that it is implemented securely. From RedTeam Labs’ own research, it appears as though some implementations are still at risk of a successful attack. We encourage you to implement Autofill securely and responsibly.
What is Autofill?
Autofill is a function that can store data for future use. It is found in most web browsers, and in Google Chrome it is a very useful tool for people to remember things like addresses and credit card information. In this example, we're going to discuss how the CVE-2022-0109 vulnerability left Autofill vulnerable to a successful attack.
In order to exploit this vulnerability, the attacker would need to trick the victim into visiting an attacker controlled website. This could be accomplished via social engineering or by disguising their own website as something the victim would trust. Once on the site, the victim would have to enter their username and password into fields that are not Autofill enabled. This would then allow the attacker access to all of the saved username/password combinations stored on your machine by Autofill.
Summary of Google Chrome Autofill Vulnerability
Google Chrome users are advised to update their installations as soon as possible. The vulnerability, CVE-2022-0109, is one of the worst vulnerabilities ever found in Google’s browser. The vulnerability is an “injection attack”; attackers can inject malicious code into a webpage and compromise the Autofill implementation. It’s likely that this vulnerability will be the cause of many attacks from malware creators in the future. It is important that users keep a close eye on their Autofill implementations and ensure they are implemented securely
Google has released a new version of Chrome
Google has released a new version of Chrome, which patched the vulnerability CVE-2022-0109. This vulnerability was discovered by RedTeam Labs and is related to Autofill in Chrome.
The patch for CVE-2022-0109 had been included in Google’s July 2019 update for Chrome, which was pushed out to users on August 1st.
Timeline
Published on: 02/12/2022 00:15:00 UTC
Last modified on: 04/19/2022 03:28:00 UTC
References
- https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
- https://crbug.com/1261689
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0109