CVE CyberSecurity Database News

CVE-2023-4905 - How a Simple HTML Trick Fooled Google Chrome’s Security Prompts

Poster -

---

Introduction

There’s always a new vulnerability out there, but some bugs stand out because they trick us at the interface level—the very place where users trust their security. CVE-2023-4905 is one of those vulnerabilities, affecting Google Chrome before version 117..5938.62. In this long read, I’m breaking down this issue for everyone, from the “security-curious” to budding pentesters. You’ll see code snippets, exploit details, and find all the essential reference links.

What is CVE-2023-4905?

This bug revolves around Prompts in Google Chrome. Before Chrome version 117..5938.62, a crafty attacker could manipulate browser security prompts using a specially-crafted HTML page. This method lets a remote attacker spoof security UI, tricking users into performing actions while believing they're interacting with a secure part of Chrome.

> Chromium security severity: Medium
> Impact: Security prompt spoofing via crafted HTML

How Does the Vulnerability Work?

When Chrome displays security-related prompts (like password dialogs, popups requesting permissions, etc.), users trust that these prompts are authentic and controlled by their browser—not a random website. But, due to an inappropriate implementation in Prompts, a malicious site could make its own fake prompt using HTML and CSS, and style it to look like the real deal.

Key Issue

Chrome did not sufficiently prevent web content from mimicking or overlaying the native security UI, so attackers could easily make fake dialogs convincing enough to fool many users.

Code Snippet – Spoofing a Chrome-Like Prompt

Here’s a super simple example using HTML and CSS. This spoofed prompt looks a lot like Chrome’s own password dialog.

<!DOCTYPE html>
<html>
<head>
  <title>Fake Chrome Prompt</title>
  <style>
    .chrome-prompt {
      width: 340px;
      padding: 20px;
      border: 1px solid #eee;
      border-radius: 8px;
      box-shadow:  5px 35px rgba(,,,.18);
      background: #fff;
      font-family: Arial, sans-serif;
      position: fixed;
      top: 100px;
      left: 50%;
      transform: translateX(-50%);
      z-index: 9999;
    }
    .chrome-prompt .prompt-title {
      font-weight: bold;
      margin-bottom: 8px;
      font-size: 16px;
    }
    .chrome-prompt input[type="password"] {
      width: 90%;
      padding: 7px;
      margin-bottom: 10px;
    }
    .chrome-prompt button {
      background: #4285f4;
      color: #fff;
      border: none;
      padding: 7px 16px;
      border-radius: 4px;
      cursor: pointer;
    }
  </style>
</head>
<body>
  <div class="chrome-prompt">
    <div class="prompt-title">Chrome Security</div>
    <div>Please enter your password to continue:</div>
    <input type="password" placeholder="Password" />

    <button>Confirm</button>
  </div>
</body>
</html>

Try it out (responsibly!):
Open this HTML in Chrome and see how real it looks. An attacker could pop this up any time—even overlay it on top of a real page action—to ask users for credentials, pretending it’s a real security prompt.

User visits malicious website crafted with the above code or something even slicker.

2. The attacker’s code detects certain user actions (e.g., a button click or focus change), then overlays a prompt.
3. The *fake prompt* asks the user for sensitive information: a password, a permission, or even two-factor details.

The user, *believing it’s Chrome*, enters their password.

5. The attacker now has what they need—no browser exploit needed, just clever HTML and predictable browser behavior.

How Was It Fixed?

After being reported (credit: Zhiyang Zeng (ZzZen & Team 360Vulcan)), Chrome’s maintainers improved prompt handling, making it harder for HTML overlays to convincingly mimic or overlay native security UI components. This included measures like:

Restricting JavaScript from overlaying prompt areas or listening in on prompt interactions

- Improving prompt design to make them harder to fully mimic with HTML/CSS alone

We recommend updating Chrome (and any Chromium-based browser) past 117..5938.62.

Update! Always use the latest Chrome version.

- Scrutinize prompts: If something feels off (odd layout, fuzzy edges, missing language/copy differences), don’t enter sensitive info.
- Click the address bar: If the prompt hides the URL, or you can still interact with the page behind it, it’s probably fake.

- Chromium Security Advisory for CVE-2023-4905
- NVD Detail
- Chromium Issue Tracker (may require login)
- Zhiyang Zeng’s 360Vulcan Team

Conclusion

CVE-2023-4905 is a classic “lookalike” UI flaw: simple to exploit, tricky to spot, and potentially harmful to anyone who places too much trust in how browser prompts look. The patch is out—update now—but remember, your own awareness will always be part of the security chain.

Stay alert, and keep your browser at peak protection!

Timeline

Published on: 09/12/2023 21:15:08 UTC
Last modified on: 10/17/2023 19:54:42 UTC