Google has released an urgent update for Chrome on iOS to patch a vulnerability that could allow attackers to spoof the browser's interface and trick users into thinking they're on a legitimate website. The flaw, tracked as CVE-2026-13907, was disclosed on June 30, 2026, and affects all versions of Chrome for iOS prior to 150.0.7871.47. Users are strongly advised to update immediately from the App Store to avoid phishing and credential-theft attacks.
What's in the Update
Chrome for iOS version 150.0.7871.47 addresses a medium-severity security bug that stems from insufficient validation of certain UI elements. According to Google's security advisory, a remote attacker could craft a malicious HTML page that, when opened, would spoof critical parts of the browser's interface—such as the address bar, lock icon, or other security indicators. This is a classic UI spoofing attack, commonly used in phishing campaigns where a fake login page mimics a trusted service (like a bank or email provider) and the browser appears to show a legitimate URL. Without the fix, even cautious users could be fooled into entering credentials or sensitive data.
Google has not released full technical details about the vulnerability, a standard practice to give the majority of users time to update before attackers reverse-engineer the patch. The CVE entry, however, confirms the remote attack vector and the potential for UI manipulation. While the severity is rated Medium, the real-world impact can be high if combined with convincing social engineering.
The update is part of the stable channel release corresponding to Chromium M150, which also includes other bug fixes and performance improvements. The version number shows it's a minor refresh—the previous public release was likely 150.0.7871.46 or earlier, but Google typically doesn't list all interim versions.
What It Means for You
For Everyday iPhone and iPad Users
If you use Chrome as your primary browser on iOS, this vulnerability puts you at risk simply by visiting a website. An attacker could send you a link via email, text, or social media to a page that looks exactly like your bank's login, with a URL that appears correct in the browser bar. Without the patch, you might not spot the deception until it's too late. The fix closes that door entirely, so updating is the only sure way to stay safe.
Beyond phishing, UI spoofing can be used to trick users into granting permissions (like location or camera access) by overlaying fake dialogues. The update also improves the browser's resistance to such tricks.
For IT Administrators
If you manage corporate iOS devices, this vulnerability poses a risk when employees use Chrome for work. A successful phishing attack could lead to compromised corporate credentials, potentially opening the door to broader network access. Immediate steps include:
- Verifying that all managed devices have Chrome updated to at least version 150.0.7871.47 via your MDM dashboard.
- Pushing the update forcefully through MDM if automatic app updates are not enforced.
- Reviewing conditional access policies that might allow access from unpatched devices.
Even if your organization standardizes on Safari, many users install Chrome. Without a mobile threat defense solution that checks app versions, this vulnerability could become a blind spot.
For Windows Users with iPhones
The bug is exclusive to the iOS version of Chrome and does not affect the Windows, macOS, or Android editions. However, if you use an iPhone alongside your Windows PC, your mobile browser could be a weak link. Make sure your phone is updated to avoid cross-platform risks. This is especially important if you sync passwords or bookmarks between Chrome on iOS and Windows via your Google account.
How We Got Here
Chrome for iOS occupies a unique position: like all iOS browsers, it must use Apple's WebKit engine due to App Store guidelines. That means the core rendering and JavaScript execution are handled by the same engine as Safari, but Google builds its own user interface, sync services, and security layers on top. Vulnerabilities specific to Chrome on iOS often arise in that custom layer—exactly where this UI spoofing bug lives.
Historically, Chrome for iOS has seen a handful of such flaws. For example, CVE-2020-6506 on Android allowed a similar address bar spoofing attack. Mobile browsers have long been targeted by UI manipulation because screen real estate is limited, and security indicators can be truncated or overlapped.
Google typically synchronizes its security patches across platforms, but iOS updates can lag behind desktop and Android releases due to Apple's app review process. In this case, the fix arrived in a standard stable channel update, suggesting it was likely caught in Google's regular development cycle rather than being exploited in the wild. The disclosure date of June 30 is consistent with Google's bi-weekly release cadence for Chrome.
What to Do Now
Update Immediately
- Open the App Store on your iPhone or iPad.
- Tap your profile icon in the top right.
- Scroll down to the "Available Updates" section.
- Find Chrome in the list. If an update is available, tap the Update button next to it.
- After the update completes, the version number should be 150.0.7871.47 or later. To verify: open Chrome, tap the three-dot menu (…) > Settings > Google Chrome, and the version will appear at the bottom of the screen.
If you don't see the update, pull down to refresh the list. Rollouts can take a few hours to reach all regions. If you have automatic updates enabled, Chrome should update within the next 24 hours—but it's safer to trigger the update manually.
For Organizations
- Use your MDM platform to check the last-seen version of Chrome on managed devices. Flag any that are below 150.0.7871.47.
- If your MDM supports app update enforcement, push the latest version to all devices. For devices in kiosk mode or with managed configurations, schedule a maintenance window to ensure the update applies.
- Remind users to avoid opening suspicious links, especially in SMS or email, even after the update. Phishing attempts often leverage zero-day vulnerabilities, so caution remains essential.
What If You Can't Update Right Away?
If you're in a situation where you cannot update immediately (e.g., limited connectivity, corporate approval required), consider switching to Safari until the update is applied. Safari's UI components are separate and not affected by this specific Chrome flaw. Also, avoid logging into sensitive accounts using Chrome until you've patched.
Looking Ahead
Google hasn't said whether CVE-2026-13907 has been actively exploited, but medium-severity UI spoofing bugs are attractive to attackers building phishing kits. We'll likely see proof-of-concept code within days of the disclosure, if not already. The broader lesson is that mobile browsers are just as vulnerable to UI tricks as their desktop counterparts, and users should treat app updates with the same urgency as operating system patches.
Going forward, expect Google to continue its regular Chrome for iOS updates, typically every two weeks. We'll monitor for any further security advisories or unexplained attacks that might be linked to this vulnerability. For now, a quick trip to the App Store is your best defense.