VERSION Chrome Version: 105.0.5195.127 (Official Build) (64-bit) Operating System: Windows 10 Pro Version 21H1 (Build 19043.2006) VULNERABILITY DETAILS This report covers some behavior previously reported in 1302159 (CVE-2022-2616), 1290213, and 1301203; expanding the impacts not included in the final CVE fix It's the same history: An extension can create an inactive window (chrome.windows.create with focused: false) over an active window, which obscures the active window. The active window still can receive keyboard inputs and this can hide user keyboard interaction inputs with sensitive browser UI and web pages, for example, permissions request from the site. Impact: Granting permission API requests without the user awareness and the extension does not require any permission. Here in this report, I'm covering the usage of the Permissions API as an example but it could leave a door open for many more cases. * Permission API requests: Accepting permission requests with 3 user key presses; The extension can inject javascript code into the page DOM, so we could use the extension to monitor the PermissionStatus.state or place observers on methods like a navigator.geolocation.getCurrentPosition (and tons of others that uses the permission API) by hooking it / overwriting or such on this function to as soon as any permission prompt gets called, the extension knows the timing when to create a new unfocused window over the permissions API prompt from the browser, at this moment the main window still can receive keyboard inputs, being able to grant permissions without the awareness. REPRODUCTION CASE 1. Install the attached extension, the extension does not require any permission; 2. Visit https://chrome-permissions.vercel.app/ ( could be any site that prompts the permission API request to the user, but for this example, I'm using this link using only the navigator. geolocation case ); 3. Once the extension reveals the active window, observe the interaction (TAB TAB ENTER); 4. The user granted permission without the awareness CREDIT INFORMATION Reporter credit: Vitor Torres