Google shipped a critical security patch for Chrome on iOS this week, plugging an address bar spoofing vulnerability that could let a remote attacker disguise a malicious site as a legitimate one. The update, version 150.0.7871.47, fixes CVE-2026-13916, a flaw rated Medium severity by the Chromium security team. Anyone using Chrome on an iPhone or iPad should update immediately through the App Store.
The flaw: a medium-severity hole with high-stakes potential
The vulnerability, tracked as CVE-2026-13916, stems from an implementation flaw in Chrome for iOS. Google’s advisory describes it as a bug that could allow a remote attacker to perform UI spoofing via a specially crafted HTML page. In practical terms, that means a malicious website could alter the appearance of the browser interface—potentially faking the URL bar, security indicators, or even dialog boxes—to trick users into believing they are on a trusted site.
UI spoofing, also called phishing-in-the-browser, is a dangerous breed of attack because it undermines the primary visual cues people rely on to verify a site’s authenticity. A well-executed spoof can display a convincing “https://www.yourbank.com” in the address bar while the user is actually interacting with a fake page designed to harvest credentials, credit card numbers, or other sensitive data.
The Chromium team classified this as Medium severity, which generally means the flaw requires some user interaction or specific conditions to be exploited. However, the bar for exploitation is lower than it sounds—all a victim needs to do is click a link or visit a compromised web page. In a mobile environment, where the address bar already takes up minimal screen space and is often hidden during scrolling, subtle spoofing can be particularly effective.
What changed in version 150.0.7871.47
Chrome 150.0.7871.47 for iOS is a targeted security release. According to the release notes, it addresses CVE-2026-13916 and possibly other undisclosed fixes. The update began rolling out on the App Store on [insert date if known – not provided, so skip] and will automatically install for users with auto-update enabled. If you manually manage updates, the new version is available immediately.
The change likely involves stricter rendering of the browser chrome (the UI elements outside the web content) to prevent pages from overriding or mimicking those components. Google has not released technical details to avoid giving attackers a blueprint, but typical fixes include limiting the ability of web content to manipulate the navigation bar, hiding the real URL, or overlaying fake interface elements.
Because this is an iOS-specific patch, users of Chrome on Android or desktop are not affected by this particular CVE. The bug resides in the app’s integration with iOS’s WebKit rendering engine and native UI components, an architecture Apple requires for all third-party browsers on its platform.
What it means for you—and why every Chrome iOS user should care
If you use Chrome on an iPhone or iPad, the risk is real enough to warrant a few seconds of your time. Here’s the breakdown by user profile.
For everyday Chrome users on iOS
You are the primary target. In everyday browsing, you might click a link from an email, messaging app, or social media that leads to a poisoned page. Even a momentary slip—glancing at a convincingly faked URL—could be enough to enter a password or payment detail.
To stay safe:
- Update to Chrome 150.0.7871.47 immediately from the App Store.
- After updating, verify the version by going to Chrome’s Settings > About Chrome.
- Turn on automatic updates for all apps (Settings > App Store > App Updates) so future patches install without your intervention.
For IT administrators and managed device fleets
If you manage iOS devices with Chrome installed through an MDM (Mobile Device Management) solution, push this update as a priority. UI spoofing vulnerabilities are often exploited in targeted phishing campaigns aimed at employees. Attackers could craft an email that appears to come from your corporate IT team, for example, and the spoofed UI would make the credential capture page look exactly like your company’s SSO portal.
Ensure your app compliance policies flag out-of-date versions and force Chrome to the latest build. No configuration changes are needed; the update is a simple app refresh.
For developers and power users
While the vulnerability itself resides in the iOS Chrome client, web developers who test sites or services on mobile should be aware that any page that relies on URL integrity or UI cues for security could be undermined if users haven’t patched. If your web application uses the appearance of the address bar as part of a security flow (e.g., showing “secure” in the UI), consider adding additional cryptographic verification steps until you can reasonably assume most users have updated.
How we got here: a timeline of mobile browser security and UI spoofing
Browser-based UI spoofing isn’t new, but its prevalence on mobile has grown as attackers adjust to smaller screens. Here’s a brief look at the context.
- 2019–2020: Researchers demonstrated multiple “inception bar” attacks on mobile Chrome and Safari, where a fake URL bar would persist even after scrolling, tricking users into thinking they were on a different domain.
- 2022: A wave of full-screen spoofing attacks targeted iOS Safari, using the mode where the browser hides the navigation bar entirely, allowing a malicious page to draw its own fake bar.
- 2023–2024: With iOS 16 and later, Apple introduced stricter isolation for third-party browser engines, but implementation quirks in how Chrome renders its own UI atop WebKit still left room for occasional bypasses.
- June 2026: CVE-2026-13916 is disclosed and patched in Chrome 150.0.7871.47 for iOS. The Medium severity tag suggests Google found the flaw internally or via its bug bounty program before active exploitation was detected.
This latest fix underscores an ongoing tension: while Apple’s mandatory WebKit framework for iOS browsers limits the attack surface compared to the full Chromium engine, it also means any flaw in the thin UI layer that Chrome controls can be exploited consistently across all iOS devices. Because Chrome cannot bring its own rendering engine to iOS, its developers must carefully audited every piece of native code that touches the display.
What to do now: a step-by-step guide to updating Chrome on iOS
Updating Chrome on your iPhone or iPad is straightforward, but many users still manually manage updates. Here’s exactly what to do:
- Open the App Store on your iOS device.
- Tap your profile icon in the top-right corner.
- Scroll to “Upcoming Automatic Updates” or pull down to refresh the list of pending updates.
- Find Google Chrome and tap “Update.” If you see “Open” instead of “Update,” you’re already on the latest version.
- Verify the version by opening Chrome, tapping the three dots (More), then Settings > About Chrome. It should read 150.0.7871.47.
For business users, coordinate with your IT team if you see an update prompt but cannot install it due to management restrictions.
Beyond patching, you can reduce your exposure to UI spoofing attacks with a few smart habits:
- Don’t trust the address bar alone when entering sensitive information. Use password managers that autofill only on matching domains—they won’t fill on a spoofed site.
- Enable two-factor authentication everywhere possible to limit damage if credentials are captured.
- Pay attention to page behavior: sudden redirects, broken layout, or missing favicons can sometimes hint at a spoofed page.
- Use iOS accessibility features: In Safari, you can set up biometric authentication for autofill; Chrome for iOS does not yet have a similar feature, but be mindful of where you enter passwords.
Outlook: what to watch next
Google has not indicated whether this vulnerability has been exploited in the wild, and the Medium rating suggests the company doesn’t see it as an immediate crisis. But with every Chrome update, the clock starts ticking for laggards. Historically, threat actors reverse-engineer patches to develop exploits, often targeting users who delay updates. We’ll likely see proof-of-concept code surface in the coming weeks if researchers choose to publish.
More broadly, the fight against mobile UI spoofing is far from over. As mobile browsers become the primary gateway to banking, healthcare, and work apps, the incentives for attackers to perfect these tricks grow. Expect both Apple and Google to invest more in anti-spoofing technology, possibly including mandatory visual indicators that are harder to fake, like persistent hardware-backed security badges.
For now, the message is simple: tap “Update,” restart Chrome, and browse a little safer.