A remote attacker could host a specially crafted website that is accessed through the Chrome browser on an Android device and could potentially trick a user into entering personal information within the Omnibox by reading the text. This issue affected all Android versions prior to version 4.4.4, including Android O. Google released Android O with an updated version of Chrome that removes this issue. Due to incorrect assumptions made in the original patch, this issue was not properly addressed in the Android O update to Chrome, which resulted in it being reintroduced via the same patch in Android WebView.
Vulnerability explanation
A remote attacker could host a specially crafted website that is accessed through the Chrome browser on an Android device and could potentially trick a user into entering personal information within the Omnibox by reading the text. This issue affected all Android versions prior to version 4.4.4, including Android O. Google released Android O with an updated version of Chrome that removes this issue. Due to incorrect assumptions made in the original patch, this issue was not properly addressed in the Android O update to Chrome, which resulted in it being reintroduced via the same patch in Android WebView.
This vulnerability has been mitigated in Chrome version 63, released on November 15th 2017, as well as updated versions of the application. Any potential attackers would need to target a vulnerable device running what's called "WebView," which is a component of both stock and third-party apps available for download on Google Play Store or other app markets.
Vulnerability overview
An issue was discovered in the Open Source Edition of Google Chrome, where a user could become a victim of a "Universal XSS (UXSS)" vulnerability. In particular, an attacker could use a website that is accessed through the Chrome browser on an Android device to manipulate the Omnibox and trick the user into entering personal data within the Omnibox.
The issue was introduced in Google Chrome version 42.0.2311.90 as part of an attempt to address CVE-2019-11477.
Due to incorrect assumptions made by the original patch, this issue was not properly addressed in the update to Chrome for Android 4.4.4 and below and resulted in it being reintroduced via an updated version of the patch in Android WebView version 47.
Vulnerability summary
Google released a patch for CVE-2022-0455 on March 27, 2018. The patch removed the vulnerability from Android WebView in all versions of Android prior to 4.4.4; however, it reintroduced the vulnerability via a different vector in Android O and Chrome when updated to version 66.0.3359.117 (from 66).
The vulnerability was introduced via an incorrect patch in Google's release of the update for the issue, and then was reintroduced via the same patch in Google's release of the update for the issue in Android O and Chrome when updated to version 66.0.3359.117 (from 66).
Vulnerable Code
The vulnerability allowed a remote attacker to trick a user into entering personal information by reading the text in the Omnibox. The issue was introduced by Google as part of their fix for CVE-2022-0455.
This vulnerability has been fixed in Android O.
Timeline
Published on: 04/05/2022 01:15:00 UTC
Last modified on: 04/11/2022 09:35:00 UTC