CVE-2023-0133 - How a Permission Prompt Flaw in Chrome for Android Allowed Attackers to Hijack Permissions

In early 2023, Google fixed a security issue known as CVE-2023-0133 in Google Chrome for Android. This medium-severity vulnerability involved a flaw in the way Chrome handled permission prompts, meaning a malicious website could bypass important security checks. In this post, we'll break down how the bug worked, give a concrete example, explain how attackers could use it, and provide links to further reading.

What Was the Problem?

When you visit websites on your Android phone using Chrome, sometimes a page will ask for access to your camera, microphone, or location. Chrome is supposed to *ask* you and make sure the site is allowed to ask. There are tough rules to make sure a site can't trick you or use permissions it shouldn't have.

But starting in versions before 109..5414.74, Chrome for Android didn't fully check who was actually asking for permission. This happened if a site tricked Chrome with a cleverly designed (crafted) HTML page. That meant a website could *pretend* to be trusted, and get access to stuff like your camera (if you hit "Allow"), even if the “real” page wasn’t supposed to have that right.

*In other words: the main origin permission delegation—the system that checks which site gets the permission—could be bypassed.*

User privacy at risk — Sites could get unwanted access to private info or sensors.

- Phishing attacks easier — Malicious pages could look like someone else, ask for permissions, and access your device.
- Users more likely to get tricked — Because they’d see a permission prompt that looked normal, but came from an attacker.

The Normal Flow

Usually, when a site in your browser wants a permission (like geolocation), Chrome checks which site is running ("main origin"). If it's in an iframe, and that frame tries asking for permission, Chrome checks: *Is the parent site allowed to ask?* If not, the request is ignored.

The Bypassed Flow (The Bug)

In this bug, a specially crafted HTML page with iframes or popups could trick Chrome. Chrome would incorrectly attribute the permission request to the outer, trusted site, even though it came from an untrusted, embedded frame.

Let’s look at a simplified example

<!-- attacker.com hosting an iframe to trusted-site.com -->
<iframe src="https://trusted-site.com/permission-helper.html"></iframe>;

If the code inside permission-helper.html tried this

navigator.geolocation.getCurrentPosition(function(position) {
    // handler code
});

In vulnerable Chrome versions, Chrome might *not* check that attacker.com is the real source. So, users thought they were granting permissions to the trusted site, but they were really giving it to the attacker.

Code Example

Here’s a minimal example of how an attacker could exploit this.

1. The Attacker's Page (attacker.com)

<!-- fake.html on attacker.com -->
<!DOCTYPE html>
<html>
  <body>
    <iframe id="thief" src="https://trusted-site.com/"></iframe>;
    <script>
      // Attacker sets up an event listener to receive data from the iframe
      window.addEventListener('message', function(e) {
        // attacker grabs the user's location
        if (e.data && e.data.location) {
          console.log("Stolen location:", e.data.location);
        }
      }, false);
    </script>
  </body>
</html>

Supposing https://trusted-site.com/ has

// trusted-site.com/permission-helper.html
navigator.geolocation.getCurrentPosition(function(position) {
    // Pass position to parent
    parent.postMessage({location: position}, '*');
});

In old versions of Chrome, the user sees a location prompt that looks like for the parent (attacker.com) but even if they trust trusted-site.com, the attacker now gets their precise location!

Set up a fake site with an iframe to a trusted business, Google login, or similar page.

- Prompt the user for permissions (camera, mic, geolocation) using the iframe trick, making it look more trustworthy.

How Was It Fixed?

Google recognized the flaw and, in Chrome 109..5414.74 and newer, updated Chrome to enforce strict origin checks. Now, Chrome always verifies that the *top* site and the site actually showing the prompt are the same, so attackers can't abuse a third-party frame.

We recommend updating Chrome on Android to the latest version to stay safe.

References and Further Reading

- CVE-2023-0133 - NVD
- Chromium Issue 1391047 (Bug report) *(Restricted, summary visible)*
- Chrome Releases: Stable Channel Update for Desktop/Android 109..5414.74
- Google’s General Permission Delegation Docs

Conclusion

CVE-2023-0133 was a sneaky bug that attacked the basic trust Chrome users put in browser permissions. By fixing the way permission prompts were handled in Android Chrome, Google closed the loophole before it could become a widespread threat.

If you haven’t updated your browser recently, *please* do — and be careful with permission prompts, even if the website seems familiar!

Timeline

Published on: 01/10/2023 20:15:00 UTC
Last modified on: 01/13/2023 14:06:00 UTC