On June 30, 2026, Google disclosed a security flaw in Chrome for iOS that anyone who leans on passkeys might want to take seriously. The vulnerability, tracked as CVE-2026-14074, is rated low severity. It sits in the browser’s WebAuthentication implementation, the code that lets you sign into websites with a fingerprint or face scan instead of a password. A remote attacker who convinces you to visit a malicious HTML page could exploit subtle timing differences in how the browser processes authentication requests, potentially leaking fragments of information that undermine the very trust these passwordless logins are built on.
That last sentence should make you pause. A low-severity bug in a mobile browser might sound like a snoozer—the sort of thing you skip over in a change log. But CVE-2026-14074 is a quiet reminder that side-channel attacks don’t need high bug bounties to be dangerous, especially when they touch the credentials you’re using to lock down bank accounts, work apps, and email. If you use Chrome on an iPhone or iPad to approve passkey logins, you need to update. Now.
What Actually Changed
Google fixed the flaw in Chrome version 150.0.7871.47 for iOS, which rolled out through the App Store in late June. The release notes are terse: the company credits an external researcher for finding a side-channel information leak in the WebAuthentication API and says no in-the-wild exploitation was detected before the patch shipped.
WebAuthn—the standard behind FIDO2 and passkeys—is supposed to eliminate the risk of stolen passwords by using cryptographic key pairs stored securely on your device. When you authenticate, the browser performs a handshake with the relying party (the website) and the platform authenticator (your device’s secure enclave, like Touch ID or Face ID). The timing of those operations, however, can vary depending on factors like which credential is selected or whether a biometric check succeeds. CVE-2026-14074 let an attacker’s page observe those tiny timing variations to infer properties of the authentication flow.
Google’s advisory doesn’t spell out exactly what information could leak. Based on earlier WebAuthn side-channel research, the most likely scenario is that an attacker could determine whether a particular user already had a credential for a target service, or perhaps glean characteristics of the credential itself—such as its length or type. This isn’t a master key to your passkeys, but it is a chink in the armor that, combined with clever social engineering, could make credential phishing attempts much more precise.
What It Means for You
The practical risk depends heavily on who you are and how you use Chrome for iOS.
For everyday users: If you use Chrome as your primary iOS browser and have adopted passkeys for sites that support them (Google, Amazon, GitHub, and a growing list of others), you should treat this patch with more urgency than a typical low-severity fix. While there’s no evidence of active exploit in the wild, the window between disclosure and the first proof-of-concept code is often measured in hours, not days. An attacker could contrive a scenario—a link in a message, a booby-trapped ad—that brings you to a page designed to profile your device’s passkey stores before you’ve even had a chance to update.
For IT administrators and security teams: If your organization enforces passkey-only authentication for cloud apps, you now have a new variable to model. The side-channel requires the victim to use Chrome for iOS, navigate to an attacker-controlled page, and initiate a WebAuthn flow or simply have stored credentials that the page can probe. In a targeted attack, an adversary could use this as a reconnaissance step—identifying employees whose devices contain credentials for high-value services, then tailoring a secondary attack. The low CVSS score (likely around 3.0–4.0) reflects that exploitation requires user interaction and yields limited information. But when that information is the presence of a privileged account credential, the calculus changes. Push the browser update to managed devices immediately.
For developers and WebAuthn relying parties: This vulnerability underscores a design tension. The WebAuthn specification includes explicit warnings about timing attacks, but implementations in multithreaded JavaScript engines on resource-constrained mobile devices can be tough to harden completely. If you own a service that accepts passkeys, you should review your server-side login flows to ensure that no critical decisions are made based solely on information that a timing leak could expose—for example, using credential IDs as session tokens or assuming that a failed biometric with a certain timing pattern means the user is legitimate. Defense in depth still matters, even when the crypto is solid.
How We Got Here
The timing of CVE-2026-14074 is notable because it lands at a moment when the tech industry is aggressively pushing passkeys as a replacement for passwords. Apple integrated passkeys deeply into iOS and macOS starting in 2022 with iCloud Keychain syncing. Google followed with broad support in Chrome and Android, and Microsoft rolled out passkey authentication for consumer accounts. The FIDO Alliance, which stewards the standards, has been relentless in its “kill the password” messaging.
This bug doesn’t break passkeys, but it reminds us that no security mechanism is a silver bullet. Side-channel analysis has been a bête noire for cryptographic implementers since the 1990s. In a classic timing attack, an observer measures the duration of a computation to deduce secret data—like how long it takes a CPU to process a private key operation, revealing bits of the key. WebAuthn on iOS adds a layer of complexity because the actual key material is locked inside the Secure Enclave, but the JavaScript API that coordinates the dance between the browser, the website, and the enclave runs in a less isolated context. If that coordination takes a different number of milliseconds depending on whether a credential exists or which algorithm it uses, an attacker can eavesdrop.
Researchers have been flagging these risks for years. A 2021 academic paper demonstrated practical timing attacks on WebAuthn in desktop browsers, and the FIDO Alliance’s own security reference notes the importance of constant-time operations. However, implementing truly constant-time code in a JavaScript engine that talks to platform-native APIs is not trivial. The iOS Chrome team appears to have missed a code path where the runtime of an authentication request could be observed via the WebAuthn JavaScript interface itself—perhaps through the precisely timed execution of Promises or callbacks.
Google’s rapid disclosure on June 30 came after a coordinated vulnerability reporting process. The researcher who found the flaw likely reported it through the Chrome Vulnerability Reward Program, which pays bounties for bugs in Chromium-based browsers. Google typically assigns severity based on the worst-case practical impact, not theoretical risk, which often results in conservative ratings. A “low” severity here means that exploiting the bug isn’t trivial, doesn’t give direct access to the operating system, and probably requires some degree of user profiling. But as we’ve seen with chained exploits, multiple low-severity flaws can be worse than one critical one.
What to Do Now
The fix is automatic for most users, but not instantly. Chrome for iOS updates through the App Store, and Apple’s update cadence means it can take a few days for the new version to appear on everyone’s device. Here’s how to make sure you’re protected:
- Check your version. Open Chrome on your iPhone or iPad. Tap the three-dot menu, go to Settings, then scroll down to “About Chrome.” If the version isn’t 150.0.7871.47 or higher, you need to update.
- Update immediately. Go to the App Store, tap your profile icon, and pull down to refresh the updates list. If Chrome appears, tap Update. If it doesn’t, you may already be up to date. Manually searching for “Chrome” in the App Store can also prompt the update.
- Enable automatic updates (if you haven’t). In iOS Settings → App Store, turn on App Updates. This helps but doesn’t guarantee same-day patching; Apple’s background update mechanism can be slow.
- Be mindful of links and suspicious pages. Until you confirm the patch is applied, avoid clicking untrusted links in messages or emails that open in Chrome. If a site suddenly asks for a passkey login unprompted, close the tab.
- For administrators: push the update via MDM. If you manage a fleet of iPhones and iPads, use your mobile device management solution to enforce the minimum Chrome version. Combine this with conditional access policies that block older browser versions from authenticating to corporate apps.
- Monitor for signs of targeted exploitation. There are no public reports of active attacks, but security teams should watch for unusual WebAuthn errors in application logs, particularly from iOS Chrome client strings, and consider adding detection rules that flag rapid-fire authentication attempts that fail with plausible timing side-channel behavior.
If you’re a relying party developer, test your WebAuthn implementation against the patched Chrome version. Use FIDO Alliance conformance tools to ensure your flows aren’t inadvertently amplifying timing differences. And participate in ongoing standards discussions: the W3C WebAuthn Working Group regularly updates the specification to address newly discovered side channels.
Outlook
CVE-2026-14074 won’t be the last side-channel we see in a mobile browser’s authentication stack. As passkeys become the default login method for billions of users, the attack surface expands proportionally. Every new platform integration—TEEs, biometric sensors, cloud-synced keychains—introduces boundaries where timing, power consumption, or even electromagnetic emanations can leak secrets. The good news is that the industry has gotten very good at coordinating these fixes: the disclosure was clean, the patch was quick, and the severity rating, while low, has sparked enough conversation that nobody can plead ignorance.
What to watch next: Google’s Chrome 151 beta for iOS, likely to land within weeks, will undergo deeper WebAuthn testing. The researcher behind this find will probably publish technical details once users have had ample time to update, which could reveal whether other browsers on iOS (Safari, Edge, Firefox) share the same weakness. Apple requires all iOS browsers to use WebKit, but WebAuthn calls may still differ at the app layer; Safari’s native implementation might not be affected. Keep an eye on CVE databases for sister flaws in other engines.
For now, the immediate lesson is simple: low severity doesn’t mean low urgency when it comes to the tools that store your online identity. Update Chrome for iOS today. Then update it again next week, and the week after that. Passwords are dying, but patching will never go out of style.