Google Chrome Payments UI Spoofing Vulnerability

A UI spoofing vulnerability has been identified in the Payments component of Google Chrome, affecting versions prior to 132.0.6834.83. This vulnerability allows remote attackers to manipulate user interface elements by convincing users to perform specific actions, such as clicking or scrolling, on a specially crafted HTML page. As a result, attackers can access sensitive payment-related information saved in the browser, including shipping addresses and contact details.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive payment information, such as addresses and contact details, saved in the user's Chrome browser.

Reproduction

To reproduce this vulnerability, first add some payment information in the Chrome settings under 'Addresses'. Then, visit a specific online gaming website that has been crafted to exploit this vulnerability. After selecting a game, the Picture-in-Picture (PiP) window will appear, simulating an engaging experience. While this overlay is active, a hidden popup will be triggered that accesses the PaymentRequest dialog. This dialog, which contains sensitive payment information, will be partially obscured by the PiP overlay. By interacting with the PiP window, the PaymentRequest dialog can be manipulated, sending saved payment data to the attacker.

Remediation

Users should update to Google Chrome version 132.0.6834.83 or later, where this vulnerability has been fixed.