Google has released Chrome version 150.0.7871.47 for iPhone and iPad, patching a medium-severity vulnerability that could let attackers trick you into thinking you’re on a legitimate website while you’re actually handing over passwords and credit card numbers to a criminal. The bug, tracked as CVE-2026-13908, is the latest in a long line of address bar spoofing flaws that remind us why keeping mobile browsers updated isn’t optional — it’s a frontline defense against everyday phishing.

What’s Changing in Chrome 150.0.7871.47

On the surface, the iOS App Store update looks routine: a new version number, a generic “bug fixes and performance improvements” note. But buried in Google’s Chrome releases dashboard, the patch lists a single security fix: CVE-2026-13908, described as “insufficient validation of untrusted input in the Omnibox.”

The Omnibox — Google’s name for the combined address bar and search box — is the one place most users glance to verify they’re on their bank’s site, not a lookalike. When an attacker can manipulate what appears there, the browser loses its most fundamental trust signal. According to the advisory, a carefully crafted URL or page could exploit the lack of input sanitization to display a domain that doesn’t match the actual website loaded.

Google has not disclosed the exact technique used to exploit the flaw, nor have they said whether it was discovered internally or reported through their Vulnerability Reward Program. But the fact that it earned a Medium severity rating (the second-lowest of four levels) suggests it requires some user interaction or unusual conditions to pull off, rather than a one-click remote takeover.

What This Means for You

If you use Chrome on an iPhone or iPad, the risk is real but manageable. The vulnerability falls squarely into the “trick the user” category: an attacker could send you a link that, when tapped, opens a page that looks like your email provider or credit union site, complete with a trusted URL in the address bar. From there, the scam plays out as any phishing attack does.

Because iOS forces all browsers to use Apple’s WebKit engine, the bug lives not in how Chrome renders web pages but in the custom interface layer Google builds around it — including the Omnibox. That means other iOS browsers aren’t affected unless they share a similar flaw in their address bar code. It also means the patch was entirely in Google’s hands; no system update from Apple is required.

For home users, the threat is moderate. You’d need to click a malicious link and then not notice any other telltale signs (like broken page elements, missing padlock icons, or an unusual keyboard behavior) to be fully duped. But history shows millions of people fall for well-crafted phishing pages every year, and a spoofed address bar removes one of the easiest ways to spot a fake.

For IT administrators managing fleets of company iPhones, the priority is higher. Mobile phishing attacks increasingly target corporate credentials, and if employees access SaaS tools or internal portals from personal iPhones, the address bar might be the only security indicator they check. An unpatched browser makes it easier for attackers to establish a beachhead.

How We Got Here

Chrome’s address bar has been a battleground for over a decade. On desktop, a class of tricks called “IDN homograph attacks” — using characters that look like Latin letters but aren’t — once allowed attackers to register domains that visually matched apple.com or google.com. Browser makers responded with strict display rules, stripping out deceptive Unicode or showing the real punycode behind the scenes.

On iOS, the attack surface is different because of Apple’s mandated browser engine policy. All third-party browsers must use WebKit, the same engine that powers Safari. That means Chrome for iOS is essentially Google’s custom UI on top of Apple’s rendering engine. The Omnibox, as a UI element, is fully under Google’s control — and so are its vulnerabilities.

CVE-2026-13908 is likely one of those UI-layer bugs. A malicious website could send crafted data that the Omnibox fails to validate before displaying. Perhaps it uses a redirect sequence to load a phishing page while simultaneously feeding the Omnibox a legitimate-looking URL. Or maybe it abuses the way Chrome handles long URLs, truncation, or the way it paints the text field after a user interaction.

Google has patched similar Omnibox spoofing bugs before — at least three others are listed in the Chrome stable channel update logs over the last two years, ranging from Low to High severity. The consistent theme: adversaries keep finding new ways to violate the sanctity of the address bar, and browser vendors keep closing those gaps.

The version number here — 150.0.7871.47 — follows Chrome’s breathless release cadence. Major milestones drop roughly every four weeks, with minor security and stability bumps in between. For iOS users, this update is actually part of the broader Chrome 150 release that began rolling out earlier this week, but the security fix was only finalized and disclosed in this specific dot-release.

Google’s policy is to withhold technical details of a vulnerability until the majority of users have installed the patch — a practice that limits the harm from unpatched devices while also frustrating security researchers who want to study the flaw. As of this writing, no proof-of-concept code appears to be publicly available, and there are no reports of active exploitation in the wild.

What to Do Right Now

The most urgent step is simple: update Chrome on your iOS device. Even if you don’t normally use Chrome as your daily browser, if it’s installed and you occasionally open links from emails or messages, the vulnerable code is present until you update.

How to update Chrome on iPhone or iPad:
1. Open the App Store.
2. Tap your profile icon in the top-right corner.
3. Scroll down to the list of pending updates.
4. Find Google Chrome in the list, then tap “Update.” If you don’t see it, pull down to refresh the list.
5. Alternatively, search for “Chrome” in the App Store, open its page, and tap “Update” if available.

Verify your version:
- Open Chrome.
- Tap the three-dot menu (⋮) > Settings > Google Chrome.
- The version number appears at the bottom of the screen. It should read 150.0.7871.47 or later.

Enable automatic updates (recommended):
- Go to Settings app on your iOS device.
- Tap App Store.
- Under Automatic Downloads, turn on “App Updates.” This ensures Chrome and all other apps stay current without manual intervention.

If you manage enterprise devices via MDM, push the update as soon as it’s available. Most management platforms can force an update or notify users within hours of a new release.

Outlook

Google hasn’t indicated whether this vulnerability will be identified publicly as being exploited in the wild. Given its Medium severity and the lack of an active campaign alert from Google’s Threat Analysis Group, it’s likely a proactive patch to a bug found internally or by a researcher. But browser spoofing is always a cat-and-mouse game. Expect more Omnibox hardening in future Chrome releases, and keep an eye on the Chrome Releases blog for details if and when Google publishes a postmortem.

For now, the best defense is the simplest one: take five seconds to update. It’s a minor delay compared to the hours — or weeks — of damage control after a credential theft.