Login Sign Up

CVE-2022-1130

8.1 HIGH

📋 TL;DR

This vulnerability in Google Chrome on Android allows a malicious app to send arbitrary intents to other apps via WebOTP, bypassing normal security restrictions. It affects Chrome on Android versions prior to 100.0.4896.60. Attackers could potentially trigger unauthorized actions in other installed applications.

💻 Affected Systems

Products:
  • Google Chrome
Versions: Android versions prior to 100.0.4896.60
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chrome on Android with WebOTP functionality enabled.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app could send intents to launch privileged operations in other apps, potentially leading to data theft, unauthorized transactions, or device compromise.

🟠

Likely Case

Malicious app could trigger unwanted actions in other apps, potentially stealing sensitive data or performing unauthorized operations.

🟢

If Mitigated

With updated Chrome and proper app permissions, risk is limited to apps that accept external intents without proper validation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user to install a malicious Android app that exploits the Chrome vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 100.0.4896.60 and later

Vendor Advisory: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Chrome 3. Update to version 100.0.4896.60 or later 4. Restart Chrome

🔧 Temporary Workarounds

Disable WebOTP

android

Temporarily disable WebOTP functionality in Chrome settings

chrome://flags/#webotp-api → Disable

Restrict App Installations

android

Only install apps from trusted sources like Google Play Store

🧯 If You Can't Patch

  • Disable Chrome WebOTP functionality via chrome://flags
  • Use alternative browsers until Chrome can be updated

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome

Check Version:

chrome://version

Verify Fix Applied:

Verify Chrome version is 100.0.4896.60 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual intent broadcasts from Chrome
  • WebOTP API misuse logs

Network Indicators:

  • Suspicious WebOTP API calls

SIEM Query:

source="chrome" AND (event="intent_broadcast" OR event="webotp")

📊 Metadata

CVE ID: CVE-2022-1130
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CWE: CWE-476
Published: July 23, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1130, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)