CVE-2024-13983
📋 TL;DR
This vulnerability allows attackers to create QR codes that spoof Chrome's Lens UI on iOS, potentially tricking users into interacting with malicious content. Only Google Chrome on iOS versions before 136.0.7103.59 is affected. Users scanning QR codes with Chrome's Lens feature are at risk.
💻 Affected Systems
- Google Chrome
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Users could be tricked into visiting phishing sites, downloading malware, or revealing sensitive information through spoofed UI elements that appear legitimate.
Likely Case
Attackers create QR codes that display fake UI overlays, potentially leading users to malicious websites or tricking them into unintended actions.
If Mitigated
With proper user awareness training and QR code scanning precautions, impact is minimal as users would recognize suspicious UI elements.
🎯 Exploit Status
Exploitation requires user interaction (scanning a malicious QR code) but no authentication. Attack complexity is low once QR code is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 136.0.7103.59 and later
Vendor Advisory: https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_29.html
Restart Required: Yes
Instructions:
1. Open the App Store on iOS. 2. Search for Google Chrome. 3. Tap 'Update' if available. 4. After update completes, restart Chrome.
🔧 Temporary Workarounds
Disable Chrome Lens QR Scanning
iosTemporarily disable Chrome's built-in QR code scanning feature to prevent exploitation.
No commands - disable via Chrome settings: Settings > Privacy and Security > QR Code Scanner
Use Alternative QR Scanner
iosUse iOS's built-in Camera QR scanner or a dedicated QR app instead of Chrome's Lens feature.
🧯 If You Can't Patch
- Educate users to verify URLs before clicking when scanning QR codes
- Implement QR code scanning policies for enterprise environments
🔍 How to Verify
Check if Vulnerable:
Check Chrome version in iOS: Open Chrome > Tap three dots > Settings > About Chrome. If version is below 136.0.7103.59, you are vulnerable.Check Version:
No command - check via Chrome settings on iOS as described aboveVerify Fix Applied:
After updating, verify Chrome version is 136.0.7103.59 or higher using same steps.📡 Detection & Monitoring
Log Indicators:
- Unusual QR code scan patterns
- Multiple failed authentication attempts following QR scans
Network Indicators:
- Traffic to suspicious domains following QR code scans
- Unusual redirect patterns
SIEM Query:
No specific SIEM query available due to limited logging of QR scan events in Chrome