In August 2023, security researchers uncovered a high-severity vulnerability in Google Chrome: CVE-2023-4764. This bug wasn't about stealing your data outright or dropping malware on your system—instead, it allowed attackers to trick users by spoofing the contents of Chrome's Omnibox (the address bar) using the BFCache mechanism.
In this exclusive long read, let's break down what went wrong, how the exploit works, and what you need to know to keep safe.
What Exactly Is BFCache?
BFCache stands for "Back/Forward Cache." It's a feature in modern browsers (including Chrome) designed to make web browsing much faster. When you hit the back or forward buttons, the BFCache can instantly reload pages without re-downloading or re-executing JavaScript, making navigation nearly instantaneous.
- How It Works: When you leave a page, instead of unloading everything, Chrome freezes the page in memory. If you return, the page comes back in exactly the same state.
- Why It Matters: This "freeze and revive" system adds complexity—and, as CVE-2023-4764 showed, creates opportunities for bugs.
The Core Problem: Incorrect Security UI
Security UI refers to all those little trust signals in your browser, especially the contents of the Omnibox (URL bar). Users rely on this to know what site they're really on.
> CVE-2023-4764: Incorrect security UI in BFCache in Google Chrome prior to 116..5845.179 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)
In simple terms: An attacker could load a page, manipulate Chrome's BFCache behavior, and then make Chrome show a *trusted* URL in the Omnibox while showing untrusted or malicious content in the main window.
User is tricked into clicking a link or otherwise navigating to attacker’s site (evil.com).
3. Evil.com runs some JavaScript, then uses window.history.back() to return the user to good.com.
4. But: due to the BFCache bug, the URL bar shows good.com, but the visible content is *controlled by evil.com*.
attacker.html (hosted on evil.com)
<!DOCTYPE html>
<html>
<body>
<h1>Welcome to Evil.com</h1>
<script>
// Wait for user event or some delay
setTimeout(function() {
// Go back in history
window.history.back();
}, 300);
</script>
</body>
</html>
The attacker can display any fake login form, message, or phishing UI they want.
- But the browser's URL bar ("Omnibox") displays the *previous site's* URL (good.com), so the victim thinks they're safely back on the trusted site.
Real-World Attack Scenarios
- Phishing: Crafty attackers can create login screens or other forms that appear genuine, tricking users into entering passwords or personal info.
- Authorization Bypass: Users may perform sensitive actions, believing they're on the actual, secure site.
- Brand Spoofing: Any site or service could have its interface mimicked, with the trusted URL in place.
Fix Status
Google fixed this vulnerability in Chrome version 116..5845.179 and later. All users are strongly urged to update.
> References:
> - Official Chrome security advisory: Chromium Issue 1471908
> - CVE record: CVE-2023-4764 at NVD
> - Chrome Release Notes: Stable Channel Update for Desktop, 2023-08-23
Update Chrome now to the latest version.
- Be wary of suspicious page transitions. If something feels off—like a trusted site acting weird after going back—navigate to it manually.
TL;DR
CVE-2023-4764 showed just how subtle and powerful browser bugs can be. By exploiting quirks in Chrome's back/forward caching, attackers could fool even savvy users by faking the URL bar—a critical trust indicator in web browsing.
Stay updated, stay sharp—and always double-check where you really are on the web.
*Did you enjoy this deep dive? Share your feedback below or check out more browser security insights here:*
- Chromium Security Blog
- Project Zero: Understanding BFCache
Timeline
Published on: 09/05/2023 22:15:00 UTC
Last modified on: 09/08/2023 23:41:00 UTC