Google has patched a low-severity flaw in Chrome for Android that allowed attackers to spoof the browser’s Autofill interface, potentially duping users into exposing saved credentials on malicious sites. The vulnerability, cataloged as CVE-2026-14134, was fixed ahead of version 150.0.7871.47 and disclosed on June 30, 2026.
A crafted HTML page could manipulate the Autofill prompt’s appearance, making it seem as though the browser was offering to fill login data for a legitimate domain when in reality the form was under an attacker’s control. The bug doesn’t grant remote code execution or privilege escalation, but its potential for phishing-style credential theft warranted the fix.
What Actually Changed
Chrome’s Autofill feature stores usernames, passwords, addresses, and payment details and suggests them when you tap into a form field. The core of CVE-2026-14134 lay in a UI misrepresentation: the pop-up that surfaces saved credentials could be visually altered by a specially designed web page. An attacker could craft a login form that triggers the Autofill prompt but overlay, resize, or restyle it so that the domain label or field name shown to the user doesn’t match reality.
For example, a phishing page for “bankofarnerica.com” might trigger an Autofill dropdown that displays your saved credentials for “bankofamerica.com.” Because users have been conditioned to trust the browser’s native UI, they could tap to fill without a second thought. Google has classified the flaw as low severity, likely because the attack requires user interaction and doesn’t bypass Chrome’s core sandboxing or site isolation protections. The attacker must also persuade the victim to visit the crafted page.
The advisory does not detail the technical mechanism. Based on similar past flaws (like CVE-2023-3214 or the Android autofill phishing attacks demonstrated at Black Hat in 2019), the issue probably involved how Chrome renders the autofill overlay or handles the focus state of form fields. The fix in version 150.0.7871.47 presumably tightens the rendering pipeline to prevent spoofed UI elements from masquerading as the legitimate Autofill interface.
What It Means for You
If you use Chrome on an Android phone or tablet, this vulnerability underscores a subtle but persistent risk: the browser’s convenience features can be weaponized against you. Here’s who should pay attention:
Everyday Users
- You are the primary target. Phishing campaigns that exploit autofill bugs don’t require malware; they exploit trust in the browser’s own UI. If you have passwords saved in Chrome (or Google Password Manager), a malicious site could silently trick you into auto-filling credentials, which are then sent to the attacker.
- But the risk is manageable. Google says no attacks were detected in the wild prior to the patch, and the flaw is patched now. As long as your Chrome is updated to version 150.0.7871.47 or newer, you’re protected.
- The behavioral takeaway is timeless: Always check the URL bar before submitting credentials, even if Autofill offered them. If anything feels off, don’t tap “fill.”
Administrators and IT Professionals
- Enterprises managing Android fleets should ensure Chrome is updated across all devices. The fix is bundled in a routine browser update, so it likely rolled out via Google Play Store updates in late June 2026.
- If you push Chrome updates through MDM, verify that version 150.0.7871.47 is deployed. Consider blocking older versions of Chrome that may remain on legacy devices.
- This CVE won’t trigger high-priority patch cycles given its low severity, but it’s a good reminder to audit autofill policies in managed browsers.
Developers
- Web developers should be aware that Chrome’s Autofill behavior can be manipulated through form attributes, JavaScript focus events, and CSS. Review your own sites to ensure no third-party scripts could alter the autofill context in unexpected ways.
- If you build authentication flows, never rely solely on the browser’s autofill as a trust signal. Always implement robust origin checks, and consider the WebOTP or Credential Management API as more secure alternatives for sensitive autofill scenarios.
How We Got Here
Chrome’s Autofill has been a fixture since the browser’s early days, and it has accumulated a history of security hiccups. In 2023, CVE-2023-3214 demonstrated that a malicious site could inject fake autofill prompts by abusing Chrome’s handling of iframe focus. In 2019, researchers at Black Hat USA showed how Android’s autofill framework could be gamed to steal credentials across apps. Google has steadily hardened the feature—adding origin matching, improving the rendering of the autofill popup, and requiring user gestures before filling sensitive fields.
CVE-2026-14134 appears to be a fresh variant in that lineage. The version numbering tells part of the story: Chrome 150 shipped in June 2026, and the fix was cherry-picked into the stable channel before the broader .7871 minor release. Google’s security team often assigns low severity to UI spoofing bugs because they lack the immediate impact of a memory corruption flaw. Yet for average users, the practical danger can be high: credential theft is the linchpin of most account takeovers.
Google did not disclose who reported the bug or whether a proof-of-concept exists. The company’s standard practice is to hold back technical details until most users have updated.
What to Do Now
- Check your Chrome version. Open Chrome on your Android device, tap the three-dot menu > Settings > About Chrome. The application will display the current version and check for updates. You should see 150.0.7871.47 or higher.
- If your device is managed, ask your IT department to confirm that the update has been approved and deployed.
- If for some reason you can’t update immediately—say you’re on an older Android version no longer supported by Chrome updates—consider these workarounds:
- Disable Autofill for passwords: Go to Chrome Settings > Passwords, and toggle off “Offer to save passwords” and “Auto Sign-in.” This prevents the browser from showing stored credentials on any site, eliminating the attack surface. You’ll need to manually type passwords or use a third-party password manager that does not rely on WebView autofill.
- Use Google Password Manager’s “Check password” feature to audit for reused or compromised credentials. If you fear you may have already fallen for a spoofed prompt, change passwords for critical accounts immediately.
- Enable two-factor authentication everywhere. Even if a credential is stolen, a second factor stops the attacker from logging in. - Stay alert in the long term. Phishing pages evolve. While this particular bug is fixed, attackers continuously find new ways to trick the browser UI. Treat Autofill as a convenience, not a security feature.
Outlook
Google typically publishes limited details for low-severity CVEs, but the Chromium bug tracker entry (when unsealed) may offer more technical depth. No evidence of active exploitation has surfaced, and with the fix now widely available, the window of risk is closing. Still, the episode reinforces a hard truth: every UI surface the browser paints is a potential phishing vector. Expect Google to continue tightening the sandbox around autofill, perhaps moving toward isolated rendering of prompt UI or stricter origin-tampering checks.
For now, the best defense is a robust update habit and a skeptical eye whenever your browser offers to fill in a password you didn’t explicitly request.