A high-severity UI spoofing vulnerability in Google Chrome on Android may mislead users into exposing sensitive contact information.

This vulnerability stems from an incorrect security UI implementation within the Contact Picker component. A remote, unauthenticated attacker can leverage a crafted HTML page to spoof the interface, potentially deceiving users into granting access to contacts under false pretenses.

With a CVSS score of 8.8, this vulnerability poses a significant risk to user privacy. Successful exploitation could lead to the unauthorized exfiltration of contact lists or personal communication data, resulting in potential phishing attacks or social engineering campaigns against the affected user's network.

Immediate Action: Update Google Chrome on Android to version 149.0.7827.53 or later.

Proactive Monitoring: Review mobile device permissions logs to identify any unexpected access requests to the contacts database.

Compensating Controls: Educate users on identifying legitimate application permission prompts and avoiding suspicious web interactions.

Public Exploit Available: false

Immediate application of the vendor-provided update is necessary to restore the integrity of the security UI. Organizations managing mobile fleets should enforce the update through mobile device management (MDM) policies to ensure all devices are protected.