CVE-2023-26081
📋 TL;DR
This vulnerability in Epiphany (GNOME Web browser) allows malicious websites to trick users into exfiltrating saved passwords. The browser's autofill feature incorrectly operates in sandboxed contexts, enabling attackers to capture credentials. Users of Epiphany browser versions through 43.0 are affected.
💻 Affected Systems
- Epiphany (GNOME Web)
📦 What is this software?
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal saved passwords for websites, email accounts, and other credentials stored in the browser, leading to account compromise and potential identity theft.
Likely Case
Users visiting malicious websites could have their saved credentials for other sites captured without their knowledge, enabling credential theft.
If Mitigated
With proper patching, the autofill feature is restricted from operating in sandboxed contexts, preventing credential exfiltration.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious website) but no authentication. Proof of concept is publicly available in security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 43.0
Vendor Advisory: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
Restart Required: Yes
Instructions:
1. Update Epiphany browser through your distribution's package manager. 2. For Debian: apt update && apt upgrade epiphany-browser. 3. For Fedora: dnf update epiphany. 4. Restart the browser after update.
🔧 Temporary Workarounds
Disable Autofill
linuxTemporarily disable password autofill feature in Epiphany settings
Use Alternative Browser
allSwitch to a different web browser until Epiphany is patched
🧯 If You Can't Patch
- Disable password autofill in Epiphany browser settings immediately
- Avoid using Epiphany for accessing sensitive websites or services until patched
🔍 How to Verify
Check if Vulnerable:
Check Epiphany version: epiphany --version. If version is 43.0 or earlier, you are vulnerable.Check Version:
epiphany --versionVerify Fix Applied:
After update, verify version is greater than 43.0: epiphany --version📡 Detection & Monitoring
Log Indicators:
- Unusual autofill events in browser logs
- Multiple failed authentication attempts from user accounts
Network Indicators:
- Unexpected outbound connections from browser to unknown domains during website visits
SIEM Query:
source="browser_logs" AND event="autofill" AND context="sandboxed"🔗 References
- https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
- https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
- https://lists.debian.org/debian-lts-announce/2023/05/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFWUNG6E4ZT43EYNHKYXS7QVSO2VW2H2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SADQCSQKTJKTTIJMEPY7GII6IVQSKEKV/
- https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
- https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
- https://lists.debian.org/debian-lts-announce/2023/05/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFWUNG6E4ZT43EYNHKYXS7QVSO2VW2H2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SADQCSQKTJKTTIJMEPY7GII6IVQSKEKV/
