Google Chrome Extensions API UI Spoofing Vulnerability

A vulnerability in the Extensions API of Google Chrome prior to version 133.0.6943.53 allowed remote attackers to perform UI spoofing. By convincing users to execute specific UI gestures, attackers could use a crafted Chrome Extension to obscure active windows and manipulate permission dialogs without user awareness. This issue was reported by Vitor Torres and Alesandro Ortiz.

Impact

Exploitation of this vulnerability could lead to unauthorized interaction with browser permission prompts, allowing extensions to gain permissions without user consent. Additionally, it could disrupt user interactions with sensitive browser UI or web pages.

Reproduction

The vulnerability can be reproduced by installing a malicious Chrome Extension that does not require permissions. Once the extension is active, it can create an inactive window over an active one, obscuring it. The inactive window can receive keyboard inputs, allowing the extension to intercept permission dialogs or other sensitive browser interactions. This behavior can be automated by injecting scripts into web pages that request permissions, timing the window creation to obscure the prompts.

Remediation

Users should update to Google Chrome version 133.0.6943.53 or later, where this vulnerability has been fixed.