CVE-2023-5851 - How Chrome’s Download UI Was Fooled and Why It Matters

On October 25, 2023, Google released a security update for Chrome, noting a fix for CVE-2023-5851—a bug in the Downloads component. This flaw was scored as “Medium” severity, but for the average user the details rarely come to light. Let’s break down what this bug was, how an attacker could abuse it, and what it means for browser safety.

What Is CVE-2023-5851?

CVE-2023-5851 is a vulnerability found in Google Chrome versions before 119..6045.105. Here, Chrome’s download handling mechanism could be manipulated by a malicious website to show misleading information to users—basically a UI (User Interface) deception.

Attackers could craft a tricky HTML page where the real intent of a download got hidden behind trustworthy-looking UI elements. This might prompt a user to approve a download or action, believing it’s safe—when in reality, it isn’t.

Where Did Google Say This?

- Google Chrome Release Notes for Version 119..6045.105
- Chromium Bug Tracker #1499189 (may be restricted, as security bugs often are)
- NIST National Vulnerability Database Entry

The Vulnerability: How Did it Work?

This flaw didn’t allow hackers to break into your computer or run code outright. Instead, it was a matter of *visual trickery*: making Chrome’s download UI display something *other* than what was genuinely happening.

It’s all about trust: Chrome’s security UI—like its download bar and security warnings—are meant to help users spot danger. By exploiting this bug, a website could “cover up” those UI elements or present them in a context that made them look less dangerous or even helpful.

Technical Example

Imagine a site that uses creative HTML and JavaScript to launch a download, but wraps it in fake security messages or trusted branding. Here’s a simplified version:

<!DOCTYPE html>
<html>
<head>
<style>
/* Fake Chrome-looking bar over your real Chrome bar */
#fake-download-bar {
    position: fixed;
    bottom: ;
    left: ;
    width: 100vw;
    height: 48px;
    background: #eee;
    border-top: 1px solid #ccc;
    display: flex;
    align-items: center;
    justify-content: left;
    font-family: Arial, sans-serif;
    z-index: 999999;
}
#fake-download-bar img {
    margin:  8px;
}
</style>
</head>
<body>
<button onclick="triggerDownload()">Download File</button>
<div id="fake-download-bar" style="display:none;">
  <img src="chrome_icon.png" alt="Chrome">
  <span>Download: SafeDocument.pdf</span>
  <button onclick="alert('Opening...')">Open</button>
</div>
<script>
function triggerDownload() {
  // Show fake bar
  document.getElementById('fake-download-bar').style.display = 'flex';
  // Trigger a download (for demo, uses a harmless file)
  var link = document.createElement('a');
  link.href = 'malware.exe'; // Would be something dangerous in a real attack
  link.download = 'SafeDocument.pdf'; // Misleading filename
  document.body.appendChild(link);
  link.click();
  document.body.removeChild(link);
}
</script>
</body>
</html>

In practice, attackers could use advanced CSS and JS tricks to *perfectly* mimic Chrome’s look and cover up genuine alerts, letting dangerous downloads slip by without proper warning.

Site launches a crafted download using JavaScript and triggers the Chrome download bar.

3. Simultaneously, the site displays a *fake* download bar or “safe” message that mimics Chrome’s UI, covering up the real warning.

User clicks on the fake bar or otherwise ignores the official warning, trusting what they see.

This exploit relies on what’s called a *UI Redressing Attack*—sometimes known as “Clickjacking.” It’s not about breaking code, but about breaking trust.

Why Was This Hard to Fix?

Browsers do their best to keep system-level UI (like download bars and warnings) separate from what webpages can draw with HTML/CSS. But with creative positioning, full-screen tricks, and browser quirks, it’s sometimes possible for a webpage to cover up or mimic Chrome’s UI so users can’t tell the difference.

To fix this, Google tightened up how Download UI elements are presented and made it harder for malicious content to overlap or visually mimic security indicators.

In older versions, Chrome sometimes let pages trigger downloads without enforcing overlays or clears

// Old Chrome Downloads code snippet (simplified)
if (ShouldPromptUser()) {
   // Show download bar to user
   ShowDownloadUI();
   // ...but website could overlay UI and mimic
}

A determined attacker could create a window and overlay fake HTML on top of this, spoofing even the most cautious users.

Who Was At Risk?

Anyone using Chrome before 119..6045.105 on Windows, Mac, or Linux during this window would be potentially vulnerable. Attackers could set up phishing or warez sites, trick users into downloading malware, and cover up the usual warnings.

What Should You Do?

Update Chrome. Chrome updates itself, but you can force an update by going to chrome://settings/help.

Conclusion

While CVE-2023-5851 didn’t allow hackers direct access to your system, it was a clever social engineering trick—using weaknesses in Chrome’s interface to make malware downloads look safe. It’s a reminder that even trusted security indicators can be gamed, and why both browser makers and users need to remain alert.

References and Further Reading

- Chrome Releases: 119..6045.105 Announcement
- CVE-2023-5851 at NIST
- How Chrome Handles Downloads (Chromium Source)
- UI Redressing / Clickjacking Explained (OWASP)

Timeline

Published on: 11/01/2023 18:15:10 UTC
Last modified on: 11/14/2023 03:15:11 UTC