In early 2023, researchers discovered a subtle, but interesting, security vulnerability—CVE-2023-1234—within Google Chrome for Android. This flaw was caused by a not-so-careful way the browser handled *Intents*, a system Android uses to pass info between apps. In this post, we’ll break down what this vulnerability was, how it worked, and what it means for you (the user or developer). We’ll look at sample code, show how attackers could exploit it, and share detailed sources for your own deep dive.
Short summary: Before version 111..5563.64, Chrome on Android could be tricked by a hostile website into showing a spoofed address bar, allowing phishing attacks and user confusion.
What Are Intents, Anyway?
On Android, “Intents” are a way for apps to ask each other to do things. For example, if you tap a link in an email, the email app sends an *Intent* to Chrome to open that link.
Developers have to be careful to *validate* Intents—otherwise, bad actors can sneak in weird data that confuses or misleads users. That’s what happened here.
Attack vector: Remote attacker via a crafted HTML page.
- Impact: Domain spoofing. Malicious sites could make Chrome’s address bar show whatever domain they wanted.
How the Exploit Works
The root of the problem lies in how Chrome for Android handled so-called “View” intents. By abusing the way Chrome started new tabs or windows from certain HTML/JavaScript tricks, attackers could “inject” a different address into the toolbar (i.e., the place you look for the site's address) than the one the browser was really showing.
The attacker sets up a malicious website (let’s call it evil.com).
2. They create an HTML page that uses JavaScript to open a crafted Intent with a different target URL, say, google.com.
3. Chrome opens the new tab and, due to the flawed logic, displays google.com in the address bar—*even though* the content is still from evil.com.
Proof-of-Concept Code (POC)
Below is a sample HTML file that could be used to demonstrate this kind of bug. This won’t work in up-to-date Chrome (>111..5563.64), but illustrates the logic.
<!-- evil.com/spoof.html -->
<!DOCTYPE html>
<html>
<head>
<title>Domain Spoofing Demo (CVE-2023-1234)</title>
</head>
<body>
<h1>This page pretends to be another site!</h1>
<button onclick="spoof()">Spoof the address bar</button>
<script>
function spoof() {
const intentUrl = 'intent://www.google.com#Intent;scheme=http;end';
window.location.replace(intentUrl);
}
</script>
</body>
</html>
*Here, clicking the button would redirect Chrome to a crafted Intent URI. Due to the bug, Chrome might display “www.google.com” in the address bar, even though the content came from evil.com.*
Why Is This Dangerous?
- Phishing attacks: Attackers could make a page *look* like it’s from a trusted domain (like google.com), but actually serve malicious content.
- Credential theft: Unsuspecting users might enter passwords or other sensitive info, believing they are on a trusted site.
Google’s Fix
With the release of Chrome 111..5563.64, Google patched the issue by making sure Intents could no longer override the visible part of the URL bar in this way.
References & Further Reading
- Chromium Bug 1411837 – Domain spoofing in Intents (CVE-2023-1234) *(May need a Chromium account)*
- Google Chrome Releases – Stable Channel Update for Android
- Google Chrome Security Advisories
Final Thoughts
While CVE-2023-1234 was labeled as “low” severity, it highlights just how creative attackers can get—even minor UI bugs can lead to user deception. Always keep your browsers up to date, and be careful where you enter your passwords!
Stay safe and stay patched!
*Written exclusively for you, with practical code, explanations, and links. Please share with peers who care about web security!*
Timeline
Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/10/2023 20:22:00 UTC