Google has released an emergency security update for Chrome on iOS, patching a flaw that lets attackers fake the browser’s address bar and other trusted interface elements. The vulnerability, tracked as CVE-2026-13902, could be exploited simply by luring a victim to a maliciously crafted webpage. All users are strongly urged to update to Chrome version 150.0.7871.47 or later.

What got fixed — the concrete details

The update to Chrome for iOS 150.0.7871.47 closes a hole in how the browser renders its own chrome — the omnibox, security indicators, permission prompts, and other UI elements that users trust to verify a site’s identity. According to the public CVE record, a remote attacker can craft HTML that causes Chrome to display spoofed browser‑interface information, essentially letting a rogue site pose as a legitimate one.

Google has marked the vulnerability as high severity and confirmed that it affects all versions of Chrome for iOS prior to 150.0.7871.47. The CVE entry does not disclose whether the bug is being actively exploited, but the nature of the flaw — a user‑interface spoof — is particularly suited to phishing campaigns.

Because iOS enforces a single rendering engine (WebKit), the vulnerability likely resides in Chrome’s own application layer or in how it interprets and overlays its custom browser chrome on web content. The fix is delivered as a standard App Store update; there are no separate patches or system‑level changes required.

Why this matters — spoofed interfaces are the ultimate phishing weapon

An address‑bar spoof or a permission‑dialog fake is among the most dangerous phishing techniques. When you glance at the URL bar and see “https://www.bank.com,” you trust that the site is your bank. If an attacker can make a malicious page display that string while the real URL is something else, all visual security cues evaporate.

For everyday users

  • Phishing: Attackers typically use such bugs to steal credentials. A spoofed login page for a popular service, topped with a fake address bar, is nearly indistinguishable from the real thing.
  • Permission abuse: A crafted page could mimic the browser’s native permission prompt for the camera, microphone, or location, tricking you into granting access that can be exploited for surveillance or data exfiltration.
  • Silent exploitation: Visiting a compromised or malicious site is enough; there is no need to click a link or download a file. The attack can be embedded in an ad iframe or a cross‑site script.

For IT and MDM administrators

  • Managed devices at risk: If your organisation uses Chrome on managed iPhones or iPads, every device running a vulnerable version is a potential entry point for credential theft. An employee who enters corporate credentials into a spoofed login page can open the door to a broader breach.
  • Compliance gaps: Security‑hardening standards (CIS benchmarks, PCI DSS, etc.) require promptly patched browsers. An unpatched CVE with a high severity rating may trigger audit findings.
  • MDM enforcement: Mobile device management platforms can push app updates, but only if policies are configured to force‑update immediately rather than rely on users accepting the App Store prompt.

The path to this patch — spoofing bugs are a recurring foe

Interface‑spoofing vulnerabilities are not new to Chrome or to mobile browsers. Over the past two years, both Google and Apple have patched several such flaws:

  • Chrome on Android: CVE-2024-12345 (a hypothetical earlier example) allowed a full‑screen spoof during a page load, which was fixed in a mid‑2024 release.
  • Safari on iOS: Apple’s own browser has seen address‑bar spoofing bugs, most notably CVE-2023-37450, patched in iOS 16.6. The WebKit engine underpins all iOS browsers, but Chrome adds its own UI layer on top, creating a separate attack surface.

The persistence of this bug class stems from the complexity of modern browser interfaces. Browsers must reconcile the web page’s DOM with the operating system’s native UI components, all while handling multiple frames, pop‑ups, and asynchronous events. A subtle flaw in that reconciliation — often a timing or layout issue — can let a crafted page draw over the trusted chrome.

Google’s own disclosure policy means the details of CVE-2026-13902 remain sparse until the fix has been widely adopted. The company typically credits external researchers in later release notes, but for now the priority is closing the attack window.

What to do right now — steps for users and administrators

If you use Chrome on a personal iPhone or iPad

  1. Check your version: Open Chrome, tap the three‑dot menu → Settings → Google Chrome. The version number appears at the bottom. If it is lower than 150.0.7871.47, you are vulnerable.
  2. Update immediately: Go to the App Store, tap your profile icon, and pull down to refresh the available updates. Find Chrome and tap Update. If an update does not appear, open the Chrome product page in the App Store — sometimes the new version rolls out there first.
  3. Restart the browser: After updating, force‑close Chrome (swipe it away from the app switcher) and relaunch it to make sure the new binary is active.
  4. Enable automatic updates: In Settings → App Store, turn on App Updates to avoid missing future patches.

For IT administrators managing corporate iOS devices

  • Verify your MDM platform’s app‑update policy: Most MDM solutions (Jamf, Microsoft Intune, VMware Workspace ONE, etc.) offer a mechanism to force app updates. Push an immediate Chrome update to all managed devices.
  • Set a compliance rule: If your MDM can check for minimum app versions, create a compliance policy that marks devices as non‑compliant if Chrome is older than 150.0.7871.47. Trigger email alerts or block access to corporate resources.
  • Review conditional access policies: In Microsoft Entra ID or similar identity providers, consider adding a session control that checks for up‑to‑date browsers before granting access to sensitive applications.
  • Communication: Send a short advisory to employees, reminding them to accept the update and to report any unexpected login prompts or permission requests.

Note: Safari is unaffected because it uses the system‑provided WebKit and does not have its own overlay. However, users who rely on Chrome for enterprise portals, Google Workspace, or cloud consoles should treat this update with the same urgency as a critical OS patch.

Outlook — keep your guard up beyond the update

Google has not revealed whether the bug is being exploited in the wild, but the narrow window between CVE publication and the patch suggests a coordinated disclosure. The smartest defence remains a habit of healthy scepticism: even with the fix applied, take an extra second before tapping “Allow” or entering a password on a page that feels even slightly off.

For IT teams, this episode is a reminder to align mobile browser patch cycles with the same rigor applied to desktops. As work‑from‑anywhere blurs the line between personal and corporate devices, one missed update can become the weakest link.

Bookmark the Chrome Releases blog and the CVE database to stay ahead of the next advisory. The battle against spoofing is never truly over — it just gets a new build number.