CVE-2024-8035 - How a Simple Crafted HTML Page Could Trick You in Chrome Extensions (Explained)

---

In the world of browser security, sometimes even small oversights can open doors for opportunistic attackers. Today, I’ll break down a recent Chrome security issue: CVE-2024-8035 — an inappropriate implementation in Extensions in Google Chrome on Windows (before version 128..6613.84) that allowed remote attackers to spoof parts of the UI using a specially crafted HTML web page.

This post lays out what happened, shows how the bug works, offers code samples, and rounds up links to original sources. The language is plain, no technical jargon overload!

What is CVE-2024-8035?

- Summary: Before Chrome version 128..6613.84 on Windows, extensions could be misled by a web page designed to spoof (fake) parts of Chrome’s UI (user interface). This trick could fool users into revealing sensitive info or allow malicious actions.

Official advisory:

Chromium Security Advisories
CVE Details

How Did It Work?

Certain Chrome extensions ran on the assumption that browser UI components — like permission pop-ups or extension prompts — couldn’t be faked by the underlying web page. But, if the extension wasn't careful, a web page could display “fake” UI elements that look just like the real deal.

This could be as simple as drawing a box that looks like Chrome’s “Add extension” dialog, and convincing the user to click on it. If the extension code didn’t check where the clicks came from, or if it trusted HTML rendered by untrusted sources, the extension or the user could be fooled.

Example: Crafting a Fake Chrome Popup

Let’s see a code snippet of a spoofed dialog, meant to mimic Chrome’s look.

<!-- fake_chrome_ui.html -->
<html>
<head>
  <style>
    #chrome-dialog {
      border: 1px solid #eee;
      border-radius: 8px;
      box-shadow:  1px 6px rgba(60,64,67,.3);
      width: 400px;
      padding: 24px;
      background: #fff;
      position: fixed;
      top: 90px;
      left: 50%;
      transform: translateX(-50%);
      font-family: "Segoe UI", Arial, sans-serif;
      z-index: 9999;
    }
    .button {
      background: #1a73e8;
      color: #fff;
      border: none;
      padding: 10px 22px;
      border-radius: 4px;
      font-size: 16px;
      cursor: pointer;
      margin-top: 20px;
    }
  </style>
</head>
<body>
  <div id="chrome-dialog">
    <img src="chrome-logo.png" alt="Chrome Logo" style="width: 30px; vertical-align: middle;">
    <h3>Install Extension?</h3>
    <p>This site suggests: <b>"Secure PDF Viewer"</b> extension. Do you want to add it?</p>
    <button class="button" onclick="alert('Phished!')">Add Extension</button>
    <button class="button" style="background:#eee; color:#333; margin-left:10px;" onclick="window.close()">Cancel</button>
  </div>
</body>
</html>

*This HTML, when shown in any browser window, looks a lot like a real Chrome dialog. An attacker could use this trick to steal clicks, passwords, or trick the user into installing a malicious extension.*

Prepare the Webpage: Attacker makes a web page that mimics Chrome’s extension install dialog.

2. Entice a Click: The page tells the user: “Click to install the new feature!” with a big blue button that says “Add extension.”
3. Extension Trusts the UI: If a Chrome extension shows information from this page or doesn’t check the source of the UI interaction, it might act on the click — potentially leading to unintended actions.

Here’s an example of a vulnerable Chrome extension background script

// background.js
chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
  if (message.action === 'showDialog') {
    // This shows a dialog without verifying where the message came from!
    showChromeLikeDialog();
  }
});

If a malicious page sends a chrome.runtime.sendMessage with {action: 'showDialog'} to this extension, the extension could pop up the fake UI.

Why Was This Possible?

- Too much trust: The extension (or Chrome itself) trusts that UI interactions are always trusted, but they can be imitated with HTML + CSS.

Windows-only: The issue was found to only happen on Windows builds of Chrome.

- Not a browser bug, per se: This is considered a logic/implementation error in how extensions or sites interpret UI.

How Was It Fixed?

Google engineers updated Chrome (128..6613.84+) to make it harder for webpages (even in extensions) to render UI elements that look exactly like core browser dialogs, and improved how extension messages are tracked—so origin/source is always checked.

How to Stay Safe

- Upgrade Chrome to 128..6613.84 or later
- Be skeptical of pop-ups asking for sensitive actions, especially if they appear after clicking on ads, unknown sites, or extensions you didn’t mean to install.
- Extension developers: Validate origin of chrome.runtime.onMessage events. Only process trusted inputs (like this):

chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
  // Only accept messages from your extension's pages
  if (sender.origin === chrome.runtime.getURL('')) {
    // Now it's safe!
    showChromeLikeDialog();
  }
});

References

- Google Chrome Release Blog - June 2024 Desktop Update
- CVE-2024-8035 Details (NVD)
- Chromium Issue Tracker (If available)

Final Thoughts

While CVE-2024-8035 is labeled “low severity,” it’s a good reminder: browser UI can often be spoofed by creative web pages. Don’t trust everything you see on your screen—but do trust that Chrome’s security team is watching out for you.

If you build Chrome extensions, never trust messages, prompts, or UI from untrusted origin — always validate sources.

Timeline

Published on: 08/21/2024 21:15:10 UTC
Last modified on: 08/22/2024 17:33:37 UTC