Google shipped an emergency fix for Chrome on iOS on Tuesday, patching a medium-severity flaw that allowed a remote attacker to steal cross-origin data simply by convincing a victim to visit a booby-trapped webpage. The update, labeled version 150.0.7871.47, is rolling out now through the App Store and addresses a single vulnerability tracked as CVE-2026-13889.
Anyone running an older build of Chrome on an iPhone or iPad should install the update immediately. While the bug is rated medium, side-channel attacks that leak information across websites are the kind of quiet data theft that often flies under the radar.
The Flaw at a Glance
CVE-2026-13889 is a side-channel vulnerability residing in the way Chrome for iOS handles WebAuthentication requests combined with certain HTML patterns. According to Google’s advisory, a remote attacker can craft a malicious page that, when loaded, uses timing measurements or other indirect signals to extract data from another origin—such as login tokens, contact details, or private dashboard content—that would normally be isolated by the browser’s security boundaries.
No user interaction beyond visiting the page is needed. The attacker doesn’t need to know the victim beforehand, and there’s no evidence the bug requires elevated privileges or a complex exploit chain. The core issue lies in how speculative execution or resource access timing can inadvertently reveal information from a different site that the user may be logged into simultaneously.
Google has given the flaw a CVSS score of 5.3, putting it firmly in the medium range. That often means exploitation requires precision, but the data leaked can be sensitive enough to warrant a rapid response. The company says it is not aware of active exploitation in the wild, but the update sews the hole before attackers have a chance to weaponize the technique.
What Does This Mean for You?
If you use Chrome on iOS, the fix matters. The attack scenario is straightforward: you browse to an attacker-controlled site while logged into, say, your webmail or a banking portal in another tab. Through this side channel, the malicious page could siphon a token or a snippet of data that lets an attacker impersonate you or piece together private information.
For everyday users, the practical risk is limited—the bug requires a precise combination of hardware behavior and timing, and widespread attacks are unlikely. But targeted attacks against journalists, activists, business executives, or anyone with valuable account access are a real concern. Side-channel leaks are notoriously hard to detect because they leave no logs on the victim’s device or on the target server.
If you use Chrome as your primary browser on an iPhone, updating is the only reliable defense. There are no workarounds. The attack doesn’t depend on JavaScript being enabled—HTML and CSS alone can sometimes trigger enough timing variance—so disabling scripting isn’t a silver bullet.
For IT administrators managing fleets of company-owned iPhones, this update should be pushed forcefully through MDM policies. While the severity is medium, a data leak from a corporate email account or internal dashboard can have serious compliance and reputational consequences. Checking that all managed devices are on version 150.0.7871.47 or later is a straightforward hygiene step.
Web developers and security engineers should take note of how the flaw interacts with WebAuthentication (the API behind passkeys and biometric logins). The vulnerability underscores the delicate balance between performance optimizations and security isolation in mobile browsers. If your application handles sensitive data, it may be worth reviewing whether Server-Timing headers or other mechanisms could inadvertently amplify timing side channels—and ensuring your Content Security Policy is as strict as possible.
How We Got Here
Side-channel attacks against web browsers are not new. The Spectre and Meltdown disclosures of 2018 showed that modern processors can leak information through speculative execution. Since then, browser vendors have deployed a battery of mitigations—site isolation, timer resolution reductions, and stricter cross-origin policies—to close these channels.
Chrome on iOS, however, operates under Apple’s mandated WebKit rendering engine. That means many severe CPU-level side-channel fixes depend on Apple’s own firmware and operating system updates rather than Chrome’s codebase. CVE-2026-13889 appears to be a logic bug that Google could fix within its own layer, perhaps in the way Chrome passes credentials or handles WebAuthentication promises in a way that inadvertently exposes timing information accessible to WebKit.
The WebAuthentication API has been a target before. Researchers have demonstrated that the timing of credential discovery or assertion generation can in certain conditions be measured by a malicious page sharing the same process. Apple’s enforced single-process architecture for third-party browsers on iOS often blurs the isolation guarantees that desktop browsers rely on. This bug is the latest reminder that the iOS browser ecosystem remains, by design, less compartmentalized than on Android or desktop.
Google’s patch cadence for Chrome on iOS has been steady. The previous update, version 149.x, shipped roughly six weeks ago under the standard release cycle. An out-of-band fix like this one suggests that CVE-2026-13889 was reported through Google’s Vulnerability Reward Program or discovered internally and deemed urgent enough to skip the normal release train. The CVE number indicates it was assigned in 2026, so the bug has likely been known to Google for at least a few weeks, if not months, prior to public disclosure.
What to Do Now
Start by checking your current Chrome version on iOS. Open Chrome, tap the three-dot menu > Settings > About Chrome. If the displayed version is 150.0.7871.47 or higher, you’re protected. If it’s anything lower, you need to update.
The App Store doesn’t always push updates immediately for everyone. Manually trigger it: open the App Store, tap your profile icon, scroll down to the updates section, and pull to refresh. If you see Chrome listed, tap Update. If not, the update may still be propagating to Apple’s servers; check back in a few hours.
For those using multiple browsers, note that this flaw is specific to Chrome on iOS. Safari, Firefox, and Edge on iOS are not affected, as they implement WebAuthentication differently. However, if you sync Chrome bookmarks and passwords across devices via your Google account, those credentials could be exposed if the iPhone browser is compromised. So the update protects not just the iOS browsing session but also the broader Google account ecosystem.
Enterprise administrators should take these immediate steps:
- Push a notification to all iOS users with Chrome installed, instructing them to update to the latest version.
- Verify compliance by checking device inventory in your MDM solution (Microsoft Intune, Jamf, etc.) for the Chrome app version.
- Remind users to enable automatic app updates on their devices to reduce the window of exposure for future patches.
Beyond updating, consider reviewing which accounts you keep signed in on mobile browsers. The bug’s cross-origin data leak capability means a single compromised site visit could expose data from any other site you’re logged into. While the risk is low in practice, it’s a good hygiene moment to sign out of rarely used accounts or to use dedicated apps (like banking apps) instead of the browser where possible.
No additional settings need to be toggled inside Chrome. The fix is fully contained in the updated binary; simply installing it neutralizes the attack vector.
What’s Next
Google typically publishes technical details of fixed vulnerabilities a few weeks after the update ships, giving users time to patch before reverse-engineers can pick the flaw apart. Expect a write-up on the Chromium blog or the security advisory page that may include proof-of-concept code. Security researchers will undoubtedly probe similar interactions between WebAuthentication and HTML timing primitives, so this CVE could spur additional discoveries in other browsers or platforms.
Apple’s WebKit team is also likely to review the issue to see if a deeper fix at the engine level is warranted. Any patch from Apple would arrive as an iOS point update and affect all browsers on the platform, not just Chrome. Keep an eye on Apple’s security updates page in the coming weeks for related CVE entries.
The episode reinforces a broader lesson: mobile browsers, particularly on iOS, are not immune to the kinds of side-channel attacks that have plagued desktop computing. As web apps become richer and passwords give way to passkeys, the attack surface grows. Regular updates remain your cheapest and most effective defense. Turn on automatic updates, and when a CVE like this pops up, take the five seconds to verify you’re covered.
For now, updating Chrome on iOS to version 150.0.7871.47 is the entire story. Do it, and move on.