CVE-2022-1130 in Chrome
Summary
by MITRE • 07/23/2022
Insufficient validation of trust input in WebOTP in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to send arbitrary intents from any app via a malicious app.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/23/2022
This vulnerability resides in the WebOTP implementation within Google Chrome on Android systems, specifically affecting versions prior to 100.0.4896.60. The flaw stems from inadequate validation of trust input mechanisms that govern how Chrome processes One-Time Password (OTP) intents received through the WebOTP API. When an application requests an OTP via WebOTP, Chrome typically validates the origin and legitimacy of the request before forwarding it to the appropriate receiving application. However, this validation process was insufficiently robust, allowing malicious applications to forge or manipulate intent data that would normally be restricted to legitimate sources.
The technical exploitation of this vulnerability enables a remote attacker to craft and send arbitrary intents from any application on the device through a malicious app. This occurs because the trust validation mechanisms fail to properly verify the authenticity and authorization of intent origins, essentially allowing any application with access to the WebOTP API to bypass normal security boundaries. The flaw particularly affects Android's intent system where applications communicate by sending messages to other applications through intent objects. When Chrome processes these intents for OTP handling, it trusts the originating application without sufficient verification that the intent comes from a legitimate source or authorized domain.
The operational impact of this vulnerability extends beyond simple privilege escalation as it creates a potential gateway for broader malicious activities across the Android ecosystem. Attackers could leverage this weakness to intercept or manipulate SMS-based authentication flows, potentially compromising accounts that rely on OTP verification for security. The vulnerability affects not just individual user privacy but also system integrity since it allows unauthorized applications to participate in legitimate authentication processes without proper authorization. This represents a significant breakdown in Android's application sandboxing model where applications should be isolated from each other and cannot freely access or manipulate data belonging to other apps.
Security implications of this flaw align with CWE-284 (Improper Access Control) and relate to ATT&CK technique T1566 (Phishing) through the potential for crafting malicious web pages that could exploit this vulnerability. The weakness creates a vector where attackers can bypass security controls designed to protect user authentication flows, potentially leading to account takeovers or unauthorized access to services protected by SMS-based two-factor authentication. Organizations and users should consider this vulnerability as part of their broader mobile security posture assessment since it affects the fundamental trust model between web applications and native Android components.
Mitigation strategies include immediate updating of Chrome to version 100.0.4896.60 or later where the trust validation mechanisms have been strengthened. Additionally, users should ensure their Android devices are running the latest security patches from Google. System administrators should monitor for any suspicious intent activity on affected systems and consider implementing network-level monitoring to detect potential exploitation attempts. The fix implemented by Google addresses the core validation issue by tightening the verification process for intent origins and ensuring that only properly authenticated applications can participate in WebOTP processing, thereby closing the gap that allowed arbitrary intent injection through malicious applications.