CVE-2024-8909 – This vulnerability allows attackers to create d... (How to Fix)

Q: What is the severity of CVE-2024-8909?

CVE-2024-8909 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to create deceptive UI elements in Google Chrome on iOS, potentially tricking users into clicking malicious links or providing sensitive information. Only iOS users running Chrome versions before 129.0.6668.58 are affected.

📋 TL;DR

This vulnerability allows attackers to create deceptive UI elements in Google Chrome on iOS, potentially tricking users into clicking malicious links or providing sensitive information. Only iOS users running Chrome versions before 129.0.6668.58 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 129.0.6668.58

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chrome on iOS devices; desktop Chrome and other browsers are not affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into providing credentials, financial information, or downloading malware through convincing fake UI elements that appear legitimate.

🟠

Likely Case

Phishing attacks where users click on spoofed buttons or links that appear to be legitimate Chrome UI elements, potentially leading to credential theft.

🟢

If Mitigated

Users recognize suspicious UI elements and avoid interacting with them, limiting the attack to failed phishing attempts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction with a crafted HTML page; no authentication needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 129.0.6668.58

Vendor Advisory: https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Tap your profile icon. 3. Scroll to find Chrome in pending updates. 4. Tap 'Update' next to Chrome. 5. Restart Chrome after update completes.

🔧 Temporary Workarounds

Use Safari or alternative browser

ios

Temporarily switch to Safari or another browser until Chrome is updated.

Disable JavaScript for untrusted sites

ios

Configure Chrome to block JavaScript on untrusted websites to prevent UI spoofing.

🧯 If You Can't Patch

Educate users about phishing risks and how to identify suspicious UI elements
Implement web filtering to block known malicious sites that might exploit this vulnerability

🔍 How to Verify

Check if Vulnerable:

Open Chrome on iOS, go to Settings > About Chrome, check if version is below 129.0.6668.58.

Check Version:

Not applicable for iOS; check via Chrome settings menu.

Verify Fix Applied:

After updating, verify Chrome version is 129.0.6668.58 or higher in Settings > About Chrome.

📡 Detection & Monitoring

Log Indicators:

Unusual user reports of suspicious UI elements or unexpected redirects

Network Indicators:

Traffic to known phishing domains from Chrome iOS clients

SIEM Query:

Not typically applicable for client-side UI spoofing vulnerabilities.

📊 Metadata

CVE ID: CVE-2024-8909

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-451

Published: September 17, 2024

Last Updated: March 17, 2025

🔗 References

https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html Release Notes
https://issues.chromium.org/issues/341353783 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8909, you might also want to check these: