CVE-2023-5859 - Domain Spoofing via Picture-in-Picture in Google Chrome Explained

---

In November 2023, security researchers and the Chromium team disclosed a low-severity but interesting bug tracked as CVE-2023-5859. It targets Google Chrome’s Picture-in-Picture (PiP) feature, allowing crafty attackers to spoof domains and trick users through cleverly made HTML pages. While the flaw has been patched as of Chrome version 119..6045.105, understanding this vulnerability helps us grasp browser UI challenges and web security basics.

Let’s explore what happened, how it worked, see some illustrative code, and look at why UI details matter for safer browsing.

What Is CVE-2023-5859? (In Plain English)

CVE-2023-5859 is a security bug where the Picture-in-Picture (PiP) popup in Chrome didn’t show the right security UI, which let bad guys fake (“spoof”) the website's domain when you popped out a video.

A user is watching a video at “goodsite.com.”

- A malicious local HTML page tricks Chrome into showing a PiP video while hiding where the video really came from.
- The PiP window could display content from “badsite.com” while users might think it’s still from “goodsite.com,” leaving room for scams or confusion.

Severity: It’s low because successful attacks would still need user interaction, can’t be fully remote, and don’t give deep control. But it’s a reminder that even UI elements can be misused.

Source: Chrome Release and Security Note

How the Exploit Worked

When Chrome users clicked a “picture-in-picture” button, some vital browser checks were missing. Attackers could use a local HTML file to play a video from a different domain or a data URI, making the PiP window show arbitrary content—without real browser UI indicators showing where it came from.

User activates PiP; the video pops out.

- The PiP overlay doesn’t clearly show its origin, allowing the attacker to visually spoof (“fake”) any website or service.

This is dangerous because users may trust the PiP window, thinking it belongs to the safe site, while attacks occur in that small window.

Here’s a simple HTML page that could have been used to play with this bug

<!-- Save this as 'poc.html' on your desktop for local use -->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>PoC: CVE-2023-5859 Demo</title>
</head>
<body>
    <video id="vid" width="480" controls poster="https://trusted.site/logo.png">;
        <source src="https://malicious.site/fake-ui-video.mp4"; type="video/mp4">
        Sorry, your browser doesn't support embedded videos.
    </video>
    <button id="pip-btn">Pop Out to Picture-in-Picture</button>
    <script>
        const video = document.getElementById('vid');
        const pipBtn = document.getElementById('pip-btn');

        pipBtn.onclick = async function() {
            if (document.pictureInPictureEnabled && !video.disablePictureInPicture) {
                await video.requestPictureInPicture();
            }
        }
    </script>
</body>
</html>

Place a fake video source or even a data URI pretending to be from your bank or any critical site, and the PiP window would appear without clear indication of its real source domain.

Why Was This a Problem?

Web browsers need to help us spot when we’re being spoofed or phished — that means their security UI (like address bars, padlocks, origin info) must be clear and correct.

With this bug, the PiP window could display *anything*—a fake login page, a bank notification, etc.—without normal browser security cues. A criminal could record a video that looked exactly like your bank’s site or your email login, and show it in the PiP box. On quick glance, people might trust it and interact.

The browser improves security UI and tracking.

Mitigation: Always keep your browser up to date! Chrome and Chromium-based browsers receive patches rapidly.

References and Further Reading

- Chromium Security Note for CVE-2023-5859
- Chrome releases and version history
- CVE Record at NVD
- Picture-in-Picture API documentation (MDN)
- Chromium Bug Tracker #1488559 (login required)

Summary

CVE-2023-5859 looked harmless, but it’s a solid lesson: even minor browser UI oversights can lead to slick scams. As browsers add new features (like PiP), every detail matters for your security. Stay updated, stay skeptical—and always look twice before entering passwords, even in tiny pop-up windows!

Timeline

Published on: 11/01/2023 18:15:10 UTC
Last modified on: 11/14/2023 03:15:12 UTC