"Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome extension."
"The issue could have permitted malicious extensions with basic permissions to seize control of the new Gemini Live panel in Chrome. This attack could have been abused by an attacker to achieve privilege escalation, enabling them to access the victim's camera and microphone without their permission, take screenshots of any website, and access local files."
"The findings highlight an emerging attack vector arising from baking artificial intelligence (AI) and agentic capabilities directly into web browsers to facilitate real-time content summarization, translation, and automated task execution, as the same capabilities could be abused to perform privileged actions."
Google patched a high-severity vulnerability in Chrome version 143.0.7499.192 that exploited insufficient policy enforcement in the WebView tag. The flaw, discovered by Palo Alto Networks researcher Gal Weizman, allowed attackers to inject malicious scripts into privileged pages through crafted extensions. Specifically, the vulnerability enabled compromise of Chrome's Gemini Live panel, granting attackers unauthorized access to user cameras, microphones, local files, and website screenshots. The issue reflects emerging security risks from integrating AI and agentic capabilities directly into browsers, as these features require privileged access to the browsing environment that can be exploited when attackers embed hidden prompts in malicious web pages.
#chrome-security-vulnerability #privilege-escalation #malicious-extensions #ai-browser-integration #webview-policy-enforcement
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]