Impact
Chrome for iOS contains an implementation flaw that allows a remote attacker to trick a user into performing specific UI gestures while interacting with a crafted HTML page. When the user follows the attacker’s instructions, the Omnibox (URL bar) displays falsified text, which can cause the user to believe they are viewing or interacting with a different web page than intended. This attack enables social‑engineering based phishing or credential theft by obscuring the real destination of the browsing session. Based on the description, it is inferred that the weakness involves improper handling of user interface elements, which could be categorised under an input‑validation or UI‑spoofing type such as CWE‑74.
Affected Systems
The flaw affects Google Chrome on iOS versions earlier than 150.0.7871.47. Any device running the affected build is susceptible when a user opens a maliciously constructed web page that instructs UI gestures.
Risk and Exploitability
The CVSS score is not publicly available, and there is no EPSS value, indicating the risk assessment data has not been released. The vulnerability is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation at this time. However, the attack vector is remote via a crafted web page, and the need for the user to perform gestures creates a social‑engineering component. If the user follows the attacker’s cues, the Omnibox can be spoofed, potentially leading to phishing or credential theft.
OpenCVE Enrichment