CVE-2021-21205
📋 TL;DR
This vulnerability allows attackers to bypass navigation restrictions in Google Chrome on iOS by using a specially crafted HTML page. It affects users running Chrome on iOS versions prior to 90.0.4430.72. The flaw enables unauthorized navigation that could lead to further exploitation.
💻 Affected Systems
- Google Chrome
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect users to malicious sites, potentially leading to phishing, malware installation, or credential theft through social engineering.
Likely Case
Users could be redirected to unwanted or malicious websites, compromising privacy and potentially exposing sensitive information.
If Mitigated
With proper controls like updated browsers and security software, the risk is limited to temporary inconvenience from unwanted navigation.
🎯 Exploit Status
Exploitation requires user to visit a crafted HTML page. No authentication needed for the navigation bypass itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 90.0.4430.72
Vendor Advisory: https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html
Restart Required: Yes
Instructions:
1. Open the App Store on iOS. 2. Tap your profile icon. 3. Scroll to find Chrome updates. 4. Tap 'Update' next to Chrome. 5. Restart Chrome after update completes.
🔧 Temporary Workarounds
Use alternative browser
iosTemporarily switch to Safari or another browser until Chrome is updated.
Disable JavaScript
iosDisable JavaScript in Chrome settings to prevent crafted HTML pages from executing malicious navigation.
🧯 If You Can't Patch
- Implement web filtering to block malicious sites
- Educate users about not clicking suspicious links
🔍 How to Verify
Check if Vulnerable:
Open Chrome, go to Settings > About Chrome, check if version is below 90.0.4430.72.Check Version:
Not applicable for iOS - check via Chrome settings menu.Verify Fix Applied:
After updating, verify Chrome version is 90.0.4430.72 or higher in Settings > About Chrome.📡 Detection & Monitoring
Log Indicators:
- Unusual navigation patterns in Chrome logs
- Multiple redirects to unfamiliar domains
Network Indicators:
- HTTP redirects to suspicious domains
- Unusual traffic patterns from Chrome
SIEM Query:
source="chrome" AND (event="navigation" OR event="redirect") AND dest_domain NOT IN [allowed_domains]🔗 References
- https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html
- https://crbug.com/1165654
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/
- https://security.gentoo.org/glsa/202104-08
- https://www.debian.org/security/2021/dsa-4906
- https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html
- https://crbug.com/1165654
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/
- https://security.gentoo.org/glsa/202104-08
- https://www.debian.org/security/2021/dsa-4906
