Google has patched a significant security hole in Chrome for iOS that could allow a malicious website to impersonate parts of the browser’s interface, potentially tricking users into handing over passwords or other sensitive data. The update, version 150.0.7871.47, was quietly pushed out on June 30, 2026, addressing the flaw tracked as CVE-2026-13980. If you use Chrome on an iPhone or iPad, here’s why you should stop reading and install the update right now—and what this vulnerability actually means for your daily browsing.
The Fix in Detail
The latest Chrome for iOS brings no flashy new features or performance boosts—just a critical security patch. The changelog, posted on Google’s Chrome Releases blog, lists exactly one fix: CVE-2026-13980, described as “insufficient UI validation in the browser’s omnibox.” In plain English, that means an attacker could craft a web page that hijacks the look of legitimate browser elements like the address bar, lock icon, or security indicators.
The bug was reported by an external researcher and apparently lurked in every version of Chrome for iOS prior to 150.0.7871.47. Google’s advisory notes that the vulnerability could be exploited by “a remote attacker via a crafted HTML page” to “spoof browser interface information.” The company hasn’t released technical details yet—standard practice to give users time to patch—but security analysts say UI spoofing bugs are especially dangerous on mobile devices where screen space is limited and users rely heavily on visual trust signals.
It’s worth noting: Chrome on iOS is not a full-fledged Chromium browser. Apple requires all third-party browsers on iOS to use its built-in WebKit rendering engine, so Chrome for iOS is essentially a wrapper around Safari’s engine with Google’s UI and sync features. That means this vulnerability is specific to Chrome’s own interface layer, not a core WebKit flaw. In fact, the same bug wouldn’t exist in Safari or other iOS browsers because they handle the UI differently.
What UI Spoofing Looks Like on iOS
Imagine tapping a link in an email that claims to be from your bank. The page that opens shows a familiar Chrome address bar with a green lock icon and “bankofamerica.com” displayed perfectly. You enter your username and password. But the actual URL, hidden beneath a carefully designed overlay, is a lookalike domain like “bankofamerca.com” controlled by hackers. Because the address bar isn’t real, you’ve just handed over your credentials without any obvious warning.
That’s the kind of attack CVE-2026-13980 makes possible. In a test environment, proof-of-concept exploits likely demonstrate how a malicious site can completely replace the address bar with a fake one, or forge the “Not Secure” / “Secure” indicators that users have been trained to check. On an iPhone 15 or iPad Pro, where the screen is large enough to show full address bars, the impersonation could be pixel-perfect.
Spoofing attacks aren’t new—browsers have fought them for decades—but each new variant erodes the trust users place in the browser as a secure intermediary. Google’s Chrome team has made Omnibox security a top priority since at least 2017, but the ever-changing landscape of web technologies and device form factors means new entry points continually emerge.
Why Mobile Browsers Are a Prime Target
Mobile phishing has surged in recent years, with attackers favoring SMS, email, and messaging links that open silently in browsers. In 2025, mobile phishing attempts rose by 40% year-over-year, according to Verizon’s Data Breach Investigations Report. The small screen size makes it harder for users to scrutinize URLs, and the habit of tapping quickly increases the chances of falling for a spoofed interface.
CVE-2026-13980 amplifies these risks because it doesn’t just overlay a fake login form—it fakes the browser’s own security UI. Users who habitually check for the padlock and verified domain could still be fooled. This is a textbook example of why relying solely on user vigilance fails; the browser must enforce UI integrity at the code level.
The iOS Twist: WebKit Restrictions
Every browser on iOS rides on top of Apple’s WebKit engine, which means Google can’t simply patch the rendering pipeline. Instead, Chrome’s team must secure the interface layer they control: tabs, address bar, menus, and navigation. This split responsibility sometimes creates unique vulnerabilities like CVE-2026-13980, where a flaw in Chrome’s custom UI code—not WebKit itself—opens the door.
That also means Safari and other iOS browsers aren’t affected by this particular bug. If you depend heavily on Chrome for cross-platform syncing, you’ll need to weigh that convenience against the potential exposure until you update.
Who’s Affected and What’s at Stake
The vulnerability touches anyone who uses Chrome on an iPhone, iPad, or iPod touch. According to Statcounter, Chrome holds roughly 5% of the iOS browser market, which may sound small but translates to tens of millions of users given the billion-plus active iOS devices. Many of those are professionals or business users who rely on Chrome for its cross-platform syncing with Windows or Android devices.
For the average user, the risk is moderate but real. Phishing campaigns that leverage browser UI spoofing typically target high-value credentials: email logins, financial accounts, corporate VPN access. If you use Chrome’s built-in password manager, a spoofed login page could even capture auto-filled credentials—though the password manager might not autofill if the actual domain doesn’t match the saved site. Still, a convincing fake could socially engineer users to type credentials manually.
For IT administrators managing fleets of iOS devices via an MDM (Mobile Device Management) solution, the situation is more pressing. Unpatched devices become a soft entry point into corporate networks, especially if employees use Chrome to access internal portals. CVE-2026-13980 has a CVSS score of 6.5 (Medium) according to early assessments, but the ease of exploitation—simply visiting a webpage—elevates its practical severity.
The Path to Chrome 150: A Quick Timeline
Chrome’s version numbers have spiraled upward over the years, and version 150 in mid-2026 continues the browser’s rapid release cadence. Google typically rolls out major milestones every four weeks, with security patches sprinkled between them. iOS updates often lag slightly behind desktop counterparts because of Apple’s App Store review process, which can delay fixes by a day or two. That’s why Chrome 150.0.7871.47 debuted on June 30, 2026, while its desktop counterpart may have shipped earlier.
The CVE-2026-13980 itself was apparently reported through Google’s Vulnerability Rewards Program (VRP), though Google’s advisory doesn’t list a bounty amount or researcher name—often the case when an investigation is ongoing. The timeline from report to fix suggests a coordinated disclosure, where the researcher waits for a patch before going public. Google hasn’t indicated whether this bug was actively exploited in the wild, but the low-key handling implies it was either responsibly disclosed or caught internally.
For historical context, the last major iOS-specific Chrome spoofing bug was CVE-2024-4671 in early 2024, which also involved a crafted HTML page overwriting the loading screen. Since then, Google has hardened the interface rendering code, but as mobile browsers become more complex, the attack surface grows.
How to Update Right Now
Updating Chrome on iOS is straightforward but easy to overlook because iOS’s background app refresh doesn’t always force-update apps. Here’s the step-by-step:
- Open the App Store on your iPhone or iPad.
- Tap your profile icon in the top-right corner.
- Scroll down to see pending updates. (Pro tip: pull down to refresh the list if you don’t see Chrome.)
- Find Chrome in the list and tap “Update.” If it says “Open” instead, you’re already on the latest version—but double-check by going to Settings > General > iPhone Storage > Chrome, where the version is listed. It should read 150.0.7871.47 or higher.
- If you don’t see an update, wait a few hours and check again; the rollout can be gradual.
Alternatively, you can enable automatic updates (if you trust them): go to Settings > App Store and toggle on “App Updates.” However, automatic updates can take days to kick in, so manual updating is the surest route.
For enterprise environments, IT admins should push the update through their MDM platform immediately. Most MDM solutions allow you to force-install the latest public version of an app. If your organization uses Apple Business Manager, ensure the Chrome app is licensed and that automatic updates are enabled in the MDM policy. Some admins may also choose to block Chrome entirely until devices are verified, though that’s a heavy-handed measure.
If you’re a Windows user who also uses an iPhone, don’t forget that Chrome’s sync also extends to passwords and history. A compromise on your mobile device could expose your desktop accounts. So even if you mostly browse on Edge, updating Chrome on iOS closes a backdoor.
What’s Next for Chrome Security
Google has not yet published a detailed write-up for CVE-2026-13980, but security researchers will likely reverse-engineer the fix once the patch has circulated widely. Expect a technical breakdown on Chromium’s bug tracker within a few weeks. In the meantime, the best defense is staying updated—not just for Chrome, but for all browsers on your iOS device. Safari, Firefox, and Brave each have their own update cycles, and vulnerabilities don’t discriminate by app.
For Windows users who don’t own an Apple device, this bug may seem irrelevant. But it’s a reminder that the browser boundary is fragile on all platforms. UI spoofing has cropped up in Edge, Chrome on desktop, and even in web-based apps like Teams. The lesson: treat your browser like the operating system it’s become, and patch it relentlessly.
One final note: if you’re still using Chrome on an older iOS version that can’t run iOS 16 or later (the minimum for Chrome 150), you’re out of luck. Google typically maintains backward compatibility for a couple of iOS generations, but devices stuck on iOS 15 or earlier won’t receive this patch. If that describes your device, consider switching to Safari or a still-supported browser for sensitive tasks.
CVE-2026-13980 is a classic browser spoofing bug that chips away at the trust users place in the chrome around their web experience. The fix is simple: update Chrome for iOS to version 150.0.7871.47. Whether you’re an iPhone power user or a Windows sysadmin managing BYOD devices, that one tap could save you from a very convincing phish.