Overview
CVE-2025-13102 is a security vulnerability affecting Google Chrome on Android, specifically related to WebApp Installs. This vulnerability, discovered and patched in Chrome version 134.0.6998.35, allowed a remote attacker to perform UI (User Interface) spoofing by crafting a malicious HTML page. By exploiting this flaw, an attacker could potentially trick users into interacting with a fake interface, leading to phishing or other malicious activities.
Technical Details
The vulnerability stems from an inappropriate implementation within the WebApp Installs feature of Chrome on Android. Specifically, the browser failed to properly validate or sanitize the content presented to the user during the WebApp installation process. This lack of validation allowed an attacker to inject arbitrary HTML code, effectively spoofing the UI displayed to the user. The crafted HTML page could mimic legitimate Chrome interfaces or even those of other applications, deceiving the user into believing they are interacting with a trusted source.
CVSS Analysis
Currently, no CVSS score is assigned to CVE-2025-13102. However, Google has classified this as a “Low” severity issue within Chromium’s security rating system. While the impact of successful exploitation may be limited, the potential for UI spoofing makes it a vulnerability of concern.
Note: CVSS scores can change over time as more information becomes available. Refer to the National Vulnerability Database (NVD) for the most up-to-date information, once available.
Possible Impact
The primary impact of this vulnerability is UI spoofing. An attacker could potentially:
- Phishing: Mimic login screens of popular websites or applications to steal user credentials.
- Malware Installation: Trick users into installing malicious applications disguised as legitimate ones.
- Information Disclosure: Present fake dialog boxes requesting sensitive information, such as personal details or payment information.
While the severity is considered low, the potential for social engineering makes this a significant risk for unsuspecting users.
Mitigation or Patch Steps
The vulnerability has been addressed in Google Chrome version 134.0.6998.35 and later. To mitigate the risk, users of Chrome on Android are strongly advised to:
- Update Chrome: Ensure your Chrome browser is updated to the latest version. You can typically do this through the Google Play Store.
- Be Cautious: Exercise caution when installing WebApps, especially from unfamiliar or untrusted sources.
- Verify Sources: Double-check the source and legitimacy of WebApps before granting any permissions.
