On March 7, 2023, Google patched a medium-severity security bug in Chrome affecting all platforms prior to version 111..5563.64. Assigned CVE-2023-1229, the issue stemmed from an inappropriate implementation in the way Chrome handled permission prompts (for example, when a website asks for access to your microphone or location). This bug let attackers trick Chrome into ignoring normal restrictions that stop bad sites from navigating a user’s browser, potentially leading to phishing or unwanted redirections.
In this article, we’ll break down what happened, how an attacker could exploit it using simple HTML and JavaScript, and what you can do to stay protected.
What is the “Permission Prompt Bypass”?
Normally, when you visit a webpage and it tries to move you somewhere else (navigation), Chrome has protections to make sure you don’t get sent somewhere dangerous—especially if this is being done without your action. But the code handling permission prompts didn’t always play nicely with these protections. By combining a permission prompt (like a request for camera access) with navigation code at just the right moment, a malicious webpage could sidestep these restrictions and take the user anywhere the attacker wanted, even if Chrome was supposed to block such movement.
An attacker tricks a victim into opening a crafted website (maybe via an email link).
2. The site immediately shows a fake or real permission request (like “Allow this page to use your location?”).
3. At the exact moment the user interacts with the permission prompt (or maybe even without real user interaction, depending on the exploit), the site runs special JavaScript to force the browser to navigate to an attacker-controlled URL.
4. Chrome has a logic gap here: it temporarily lifts navigation guards to handle the permission prompt, unintentionally allowing sneaky redirects.
Below is a simplified code snippet emulating how an attacker might abuse this problem in pre-111 Chrome builds.
<!-- malicious.html -->
<!DOCTYPE html>
<html>
<head>
<title>Malicious Permission Prompt</title>
<script>
function triggerPermissionAndNavigate() {
// Trigger a permission prompt (notifications is commonly used)
Notification.requestPermission().then(function(permission) {
// Right after user interacts with the prompt, redirect somewhere malicious
window.location.href = "https://attacker.com/";;
});
}
window.onload = triggerPermissionAndNavigate;
</script>
</head>
<body>
<h1>This site wants to show notifications</h1>
</body>
</html>
This code asks for permission to send notifications. When the user answers (either "Allow" or "Block"), Chrome normally restricts the website’s ability to immediately navigate the browser. But due to CVE-2023-1229, that restriction didn’t always work, so the attacker could force the browser to visit attacker.com immediately after the prompt.
User interacts with the prompt—maybe clicking “Block” to be safe.
4. Attacker’s script hijacks navigation, sending the browser to a phishing website or a page with drive-by exploits.
This could be used for phishing, fake login screens, or even malware delivery—skipping the usual Chrome warnings and restrictions around unexpected navigation.
Real-World Impact
- Users could be tricked into thinking a navigation was legit, since it happened only after a permission prompt.
Timeline & Fix
- Bug reported: Chromium Issue 1411703 (public version now describes the flaw)
- Patched in: Chrome 111..5563.64 (Chrome Release Notes)
- CVE Details: NIST NVD CVE-2023-1229
References & Further Reading
- Chromium Bugs - Issue 1411703 (Permission Prompt Navigation Bypass)
- Official Chrome Security Fix Release Blog (March 7, 2023)
- NIST CVE-2023-1229 Record
Final Thoughts
CVE-2023-1229 is a great example of how even "medium" bugs can have a big impact by giving attackers a sneaky way around browser protections. Permission prompts are supposed to protect your privacy, but a tiny logic bug let attackers turn them into a weapon. If you’re running an up-to-date Chrome browser, you’re safe—but if someone or your organization lags on updates, you’re still at risk.
Timeline
Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/11/2023 02:34:00 UTC