In August 2023, security researchers uncovered a significant vulnerability in Google Chrome’s Autofill feature on Android devices. This bug, tracked as CVE-2023-4361, let remote attackers bypass Autofill restrictions using a sneaky HTML trick. If you’re curious about browser security or just want to understand how hackers get around our everyday protections, this post breaks it down in easy terms, with code, references, and a peek behind the curtains.
Bug: Inappropriate implementation of the Autofill feature
- Summary: Crafted web pages could fool Chrome into filling in sensitive information (like emails, names, or even passwords) on untrusted sites, *even when restrictions were supposed to stop this*.
> Vulnerability ref: Chromium Issue 1467568
Understanding Autofill — And Its Risks
Chrome’s Autofill is supposed to save us time by remembering frequently entered info like our name, email, address, etc. It’s designed to only fill out forms that seem trustworthy. For example, websites are supposed to label their HTML form fields in a way that tells Chrome “Yes, this is a real email input, please fill it in.”
But under the hood, browsers use code and rules to check these requests. When these rules aren’t tight enough, tricksters can slip through the cracks.
How Did Hackers Exploit It?
Attackers would create a web page that looks innocent, but crafts its HTML forms in a very specific way. Chrome’s Autofill code would get fooled, and fill in restricted info even if Chrome’s own settings would normally block it.
The trick was all about how Chrome decided *whether* to offer autofill for a particular input field. If the browser couldn’t tell the difference between a legit form and a sneaky one, it got bypassed.
Suppose you visit a shady web page. This is the kind of code an attacker might use
<!-- Malicious HTML form to trigger Autofill -->
<form autocomplete="on">
<input type="text" name="email" autocomplete="username" placeholder="Enter your email">
<input type="password" name="pass" autocomplete="current-password" placeholder="Enter your password">
<button type="submit">Submit</button>
</form>
In some cases, attackers would use extra attributes or try funny field names
<!-- Trying odd field names or hiding the fields -->
<form>
<input type="text" name="usernmae" style="display:none" autocomplete="username">
<input type="password" name="pssword" style="display:none" autocomplete="current-password">
</form>
What happened next:
Chrome, confused by the crafted form field names or the specific combination of HTML attributes, supplied saved email addresses, names, and other autofill data—even when the form shouldn’t have qualified!
How Was It Fixed?
Google patched this bug in Chrome 116..5845.96 in August 2023. The fix tightened the browser’s logic, making sure only safe, correctly marked fields get autofill data.
Official References
- Chromium bug report: https://bugs.chromium.org/p/chromium/issues/detail?id=1467568
- Chrome Release Blog: https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-android.html
- NIST NVD DB: https://nvd.nist.gov/vuln/detail/CVE-2023-4361
Update Chrome: Always run the latest version of Chrome on your Android device.
2. Check Autofill settings: Go to Settings > Autofill and payments and review what info is stored.
3. Be cautious: Don’t enter personal info on sketchy-looking sites—even if Chrome offers to fill it in.
Conclusion
CVE-2023-4361 shows how even powerful, widely-used features like Chrome’s Autofill can turn dangerous when implementation slips. A carefully-crafted HTML page can do a lot more than you might expect! Stay safe online, keep things updated, and always be cautious about where your browser offers to help.
*This write-up is exclusive and written in simple American English, compiling details from public sources for educational awareness.*
Timeline
Published on: 08/15/2023 18:15:00 UTC
Last modified on: 08/21/2023 17:54:00 UTC