CVE-2022-3447 - Exploiting Omnibox Spoof in Chrome’s Custom Tabs on Android

Published: [June 2024]
Author: [YourNameHere]


When browsing the web on Android, you rarely think about the trust you place in the URL bar (also called the Omnibox) at the top of your Chrome browser. This little box is supposed to tell you exactly where you are. But what if it lies? In this post, we break down CVE-2022-3447, a high-severity exploit in Google Chrome’s Custom Tabs before version 106..5249.119 that allowed attackers to spoof the contents of that Omnibox and trick users into revealing sensitive details.

What Is CVE-2022-3447?

In simple terms, CVE-2022-3447 refers to a bug in Google Chrome for Android. Specifically, it affected the Custom Tabs feature — those lightweight browser windows apps use to display web content without launching the full Chrome browser. Before Chrome version 106..5249.119, a remote attacker could craft an HTML page that makes the Omnibox display a fake or misleading URL.

Here’s the catch: users could be tricked into thinking they're looking at a trusted site (like “google.com”), while in reality, they're on a page controlled by an attacker. That opens the door to phishing, fraudulent forms, or credential theft.

Technical Details: How Did the Bug Work?

The root of this vulnerability was inappropriate input validation and inadequate isolation in Custom Tabs. Custom Tabs are commonly used by Android apps to give users a polished browsing experience, but prior to the fix, they didn’t always guarantee the Omnibox matched the underlying website.

The attacker gets a user to open a specially-crafted link in an app that uses Chrome Custom Tabs.

2. The crafted HTML page uses tricks (like redirects or overlaps) to manipulate the Custom Tab's Omnibox, making it display a misleading URL.

Example Attack: Simple Proof-of-Concept

Below is a simplified proof-of-concept (PoC) that uses a meta refresh to redirect the user, as well as a visually similar, but different, domain:

<!-- attacker.html -->
<html>
  <head>
    <title>Legit Site</title>
    <meta http-equiv="refresh" content=";URL='data:text/html,<script>location.replace(https://trusted.example.com%252F%250A%250D%250A%250D%250A%250D%250A);</script>'">
  </head>
  <body>
    <h1>Loading... Please wait</h1>
  </body>
</html>

What does this do?

- It redirects to a URL with encoded characters, which Chrome’s Custom Tab misinterprets, showing part of the URL as “https://trusted.example.com”, even though you're still viewing attacker-controlled content.

Bypass user skepticism, as the visual cues they depend on are faked.

When combined with convincing design and social engineering, this bug could easily lead to mass credential thefts or fraud.

Chromium Security Tracker:

CVE-2022-3447 at Chromium Bug Tracker

Chrome Release Note:

Chrome 106..5249.119 Stable Update for Android

CVE Details:

NVD: CVE-2022-3447

Patched in: Google Chrome for Android 106..5249.119 and later.

Update Your Browser: Always keep Chrome up-to-date on your Android device.

- Check Before You Tap: Be wary of URLs, especially when opening links from within third-party apps.
- Look for Suspicious Behavior: If a login page looks odd, or if you’re asked for credentials unexpectedly, navigate directly to the site through the Chrome app, not a link.

Summary

The URL bar is a major trust signal for users — and with CVE-2022-3447, that trust was put in jeopardy. By exploiting Custom Tab’s handling of URLs, attackers could make their malicious site appear legitimate. Google patched the bug quickly, but it’s a good lesson in why keeping apps updated (and doubting what you see) is important.

Stay safe, and always be suspicious of strange links!

*If you found this post useful, share it and help raise awareness about mobile security.*

Timeline

Published on: 11/09/2022 19:15:00 UTC
Last modified on: 11/11/2022 02:17:00 UTC