CVE-2025-12728

<!-- CVE-2025-12728 PoC - UI Spoofing in Omnibox (Android) This is a demonstration of UI spoofing vulnerability in Chrome Android Omnibox. Note: This PoC is for educational and security testing purposes only. Vulnerability: Inappropriate implementation in Omnibox allows UI spoofing Attack Vector: Crafted HTML page + specific UI gestures Target: Google Chrome on Android prior to 142.0.7444.137 --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>CVE-2025-12728 UI Spoofing PoC</title> <style> body { font-family: Arial, sans-serif; padding: 20px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; min-height: 100vh; margin: 0; } .container { max-width: 800px; margin: 0 auto; background: rgba(255,255,255,0.1); padding: 30px; border-radius: 15px; backdrop-filter: blur(10px); } h1 { text-align: center; margin-bottom: 30px; } .warning { background: rgba(255,0,0,0.3); border-left: 4px solid #ff4444; padding: 15px; margin: 20px 0; border-radius: 5px; } .spoof-indicator { display: none; position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); background: white; color: #333; padding: 40px; border-radius: 10px; text-align: center; box-shadow: 0 10px 40px rgba(0,0,0,0.3); z-index: 10000; } .spoof-indicator.show { display: block; } .instructions { background: rgba(0,0,0,0.2); padding: 20px; border-radius: 10px; margin: 20px 0; } .instructions h3 { margin-top: 0; } button { background: #4CAF50; color: white; border: none; padding: 15px 30px; font-size: 16px; border-radius: 5px; cursor: pointer; margin: 10px 5px; transition: background 0.3s; } button:hover { background: #45a049; } button.secondary { background: #2196F3; } button.secondary:hover { background: #1976D2; } </style> </head> <body> <div class="container"> <h1>🔒 CVE-2025-12728 PoC</h1> <h2>Omnibox UI Spoofing - Google Chrome Android</h2> <div class="warning"> ⚠️ <strong>Educational Purpose Only</strong><br> This PoC demonstrates the UI spoofing vulnerability in Chrome Android Omnibox. Do not use for malicious purposes. </div> <div class="instructions"> <h3>Vulnerability Details</h3> <ul> <li><strong>CVE ID:</strong> CVE-2025-12728</li> <li><strong>Component:</strong> Omnibox in Google Chrome on Android</li> <li><strong>Severity:</strong> Medium (CVSS 4.2)</li> <li><strong>Affected:</strong> Chrome Android < 142.0.7444.137</li> <li><strong>Attack Type:</strong> UI Spoofing via crafted HTML + specific UI gestures</li> </ul> </div> <div class="instructions"> <h3>How to Test</h3> <ol> <li>Open this page in Google Chrome on Android</li> <li>Click the "Trigger UI Spoof" button below</li> <li>Perform the requested UI gestures</li> <li>Observe the Omnibox address bar behavior</li> <li>Check if the URL displayed matches the actual page origin</li> </ol> <p><em>Note: The actual exploitation requires specific gesture sequences that trigger the Omnibox vulnerability. This PoC demonstrates the attack surface.</em></p> </div> <button onclick="simulateSpoof()">Trigger UI Spoof Demo</button> <button class="secondary" onclick="showInstructions()">View Technical Details</button> <button onclick="resetDemo()">Reset</button> <div id="status"></div> </div> <div id="spoofIndicator" class="spoof-indicator"> <h2>🔐 Secure Login</h2> <p>Please verify your identity:</p> <div style="text-align: left; margin: 20px 0;"> <p>👤 Username: <input type="text" placeholder="Enter username" style="padding: 8px; border-radius: 4px; border: 1px solid #ccc;"></p> <p>🔑 Password: <input type="password" placeholder="Enter password" style="padding: 8px; border-radius: 4px; border: 1px solid #ccc;"></p> </div> <button onclick="collectData()">Login</button> <p style="font-size: 12px; color: #666; margin-top: 15px;"> Note: In actual attack, Omnibox would show fake URL like https://google.com </p> </div> <script> // Simulate the UI spoofing attack mechanism // In real attack, this would manipulate Omnibox via browser vulnerabilities let gestureCount = 0; const requiredGestures = 3; function simulateSpoof() { gestureCount++; const status = document.getElementById('status'); status.innerHTML = ` <div style="background: rgba(255,255,255,0.2); padding: 15px; border-radius: 5px; margin-top: 20px;"> <p>🎯 Gesture ${gestureCount}/${requiredGestures} recorded</p> <p>Please perform: ${getNextGesture()}</p> <div style="margin-top: 10px;"> <button onclick="performGesture('scroll')">📜 Scroll Down</button> <button onclick="performGesture('tap')">👆 Double Tap</button> <button onclick="performGesture('pinch')">🤏 Pinch Zoom</button> </div> </div> `; if (gestureCount >= requiredGestures) { triggerSpoof(); } } function getNextGesture() { const gestures = ['Fast scroll down', 'Double tap anywhere', 'Pinch to zoom out']; return gestures[gestureCount % gestures.length]; } function performGesture(type) { // Simulate gesture recognition simulateSpoof(); } function triggerSpoof() { // Display fake login form (simulating the spoofed UI) document.getElementById('spoofIndicator').classList.add('show'); document.getElementById('status').innerHTML = ` <div style="background: rgba(255,0,0,0.3); padding: 15px; border-radius: 5px; margin-top: 20px;"> <h3>⚠️ UI Spoofing Attack Simulated</h3> <p>The fake login form above demonstrates what an attacker could display.</p> <p>In a real attack on vulnerable Chrome Android:</p> <ul> <li>Omnibox would show fake URL (e.g., https://google.com)</li> <li>User would believe they're on legitimate site</li> <li>Credentials entered would be stolen</li> </ul> </div> `; } function collectData() { alert('This is a PoC. In a real attack, credentials would be sent to attacker server.'); } function showInstructions() { alert('CVE-2025-12728 Technical Details:\n\n' + '1. Attacker creates malicious HTML page\n' + '2. User visits page in vulnerable Chrome Android\n' + '3. Page triggers specific UI gesture sequences\n' + '4. Omnibox displays spoofed URL\n' + '5. User tricked into entering sensitive data\n\n' + 'Fix: Update Chrome Android to version 142.0.7444.137 or later'); } function resetDemo() { gestureCount = 0; document.getElementById('spoofIndicator').classList.remove('show'); document.getElementById('status').innerHTML = ''; } // Track user interaction for PoC demonstration document.addEventListener('touchstart', function(e) { // Track touch events as potential gesture input console.log('Touch event detected for gesture analysis'); }); document.addEventListener('scroll', function(e) { // Track scroll events console.log('Scroll event detected'); }); </script> </body> </html>

{"cve": {"id": "CVE-2025-12728", "sourceIdentifier": "[email protected]", "published": "2025-11-10T20:15:39.967", "lastModified": "2025-11-25T14:59:53.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "142.0.7444.137", "matchCriteriaId": "282A7796-3A7D-4050-9B8D-1DF46E9669CA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "142.0.7444.134", "matchCriteriaId": "B3907D2C-FD39-49C9-B6D2-AF6A29921831"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "142.0.7444.135", "matchCriteriaId": "E1456F40-81F4-4166-A327-35AD53E2A36A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://issues.chromium.org/issues/452392032", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}