Google Chrome Permissions UI Spoofing Vulnerability

A UI spoofing vulnerability has been identified in Google Chrome, specifically in the Permissions feature, prior to version 140.0.7339.80. This vulnerability allows remote attackers to manipulate user interface elements through a specially crafted HTML page. The issue arises from an inappropriate implementation in how permissions are handled, particularly with the Permission Element in the Chrome Permissions API.

Impact

Exploitation of this vulnerability could lead to user interface spoofing, where an attacker can create a misleading representation of the application or system, potentially tricking users into interacting with permission prompts that have been previously denied.

Reproduction

The vulnerability can be reproduced by creating an HTML page that uses the Permission Element and applies specific CSS styles, such as 'text-emphasis' and 'text-emphasis-position', to manipulate how permission prompts are displayed. If the styles are not properly reset in the Permission Element, it can create a false impression that a permission is available to be granted, even if it was previously denied.

Remediation

Users should update to Google Chrome version 140.0.7339.80 or later, where this vulnerability has been fixed.