In March 2023, Google patched a security bug in Chrome for Android (versions before 111..5563.64) related to its Autofill feature. Tracked as CVE-2023-1231, this vulnerability allowed a remote attacker to spoof (fake) the contents of the omnibox—the address bar users rely on to check a website’s authenticity. Let’s break down how this bug worked, how it could be exploited, and what you can do to stay safe.
Severity: Medium
- How It Works: A crafty HTML page could trick the browser into displaying fake information in the omnibox (address bar), making phishing easier.
What Is The Omnibox?
The omnibox is the combined search and address bar at the top of Chrome. It tells you which website you’re on and helps you search the web. Spoofing this means an attacker could trick you into thinking you’re on a trusted site—when you’re not.
The Vulnerability Explained
The core problem was an inappropriate implementation of Autofill handling in Chrome for Android. When visiting a malicious web page, attackers could manipulate autofill events in such a way that the omnibox shows misleading information.
The exploit involved crafting an HTML page that triggers autofill at just the right time, making the omnibox display a spoofed URL or site name that looks real but isn’t.
Technical Details & Proof-of-Concept
When a user interacts with a form that triggers Autofill, Chrome can sometimes briefly update the display of the omnibox. On Android, handling of this event wasn’t robust enough. With a carefully timed sequence, attackers could inject content that, for a second or longer, replaced the visible text in the omnibox.
Here’s a simplified exploit snippet to show the concept.
<!-- exploit.html: a crafted page to abuse Autofill -->
<!DOCTYPE html>
<html>
<head>
<title>Fake PayPal Login</title>
</head>
<body>
<form>
<input id="user" name="username" autocomplete="username" placeholder="Email or phone">
<input id="pass" name="password" type="password" autocomplete="current-password" placeholder="Password">
<button onclick="triggerAutofill()">Login</button>
</form>
<script>
function triggerAutofill() {
// Prompt autofill at a moment that confuses Chrome's omnibox rendering
document.getElementById('user').focus();
setTimeout(() => {
document.getElementById('pass').focus();
// Now, quickly redirect or spoof
window.location.hash = "#LoggedIn"; // or something more sneaky
}, 100);
}
</script>
</body>
</html>
A page like this could send quick autofill triggers and manipulations, making the browser momentarily show a fake or otherwise trusted URL in the omnibox or a misleading title. A real attacker would use more polished timing and UI tricks.
Note: Real-world exploits would be more complex and may use iframes, window pop-ups, and styles to hide clues.
Official References
- CVE-2023-1231 on NIST NVD
- Chromium Release Blog (March 2023)
- Google Chrome Security Advisories
How Was It Fixed?
Google fixed this by tightening how Chrome handles autofill events and updates the omnibox on Android. Now, even with crafted timing, the omnibox can’t be easily spoofed.
Be Cautious: Don’t trust a page just because the omnibox looks right.
- Double-Check URLs: Especially for banking or logins, check whether the domain is correct—don’t rely just on the page’s appearance.
The Takeaway
CVE-2023-1231 is a great example of how small bugs in complex features like autofill can let attackers trick users. Updating your browser is the best way to protect yourself. For security researchers, it’s a reminder: even innocent-looking UI updates can be risky if misused.
Always keep your software updated—and stay alert!
Timeline
Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/10/2023 20:44:00 UTC