News

Unfixed Chromium Browser Exploit Poses Persistent Threat

By Ameen Akbar
Spread the love

Google recently published exploit code for an unfixed vulnerability within its Chromium browser codebase, creating a potential risk for millions of users. This disclosure affects popular browsers like Chrome, Microsoft Edge, and nearly all other browsers built on Chromium. The proof-of-concept code targets a standard programming interface, allowing attackers to establish connections for monitoring user activity, acting as a proxy, and launching denial-of-service attacks. Depending on the specific browser, these connections can persist, even reopening after a device reboot.

A Persistent Vulnerability in Chromium

The vulnerability, which has remained unpatched for over 29 months, exploits the Browser Fetch programming interface. This interface is designed to handle background downloads of large files, such as long videos. An attacker can manipulate this feature to create a persistent connection, enabling them to observe certain aspects of a user’s browser usage. Furthermore, this connection can serve as a proxy, allowing attackers to view websites through the compromised device or initiate denial-of-service attacks. The persistence of these connections, which can either reopen or stay active after a browser or device restart, makes this a particularly concerning issue.

The Scope and Severity of the Chromium Exploit

This unfixed Chromium browser exploit essentially creates a limited backdoor, integrating a user’s device into what amounts to a restricted botnet. The capabilities of this backdoor are confined to actions a browser can perform, including visiting malicious sites, providing anonymous proxy browsing for others, facilitating proxied DDoS attacks, and monitoring user activity. While these actions are limited, the exploit could enable an attacker to gather thousands, potentially millions, of devices into a network. Should another vulnerability emerge, it could then be used to compromise all those connected devices. Lyra Rebane, the independent researcher who discovered and reported the flaw in late 2022, stated that using the exploit code Google released would be “pretty easy,” though scaling it for a large network would require more effort. Developers in Rebane’s disclosure thread acknowledged it as a “serious vulnerability,” assigning it an S1 severity rating, the second-highest classification. One might wonder if the 29-month delay in addressing this issue was a testament to its complexity or merely a reflection of the Chromium bug tracker’s backlog.

Unintended Publication and Detection Challenges

The vulnerability remained known only to Chromium developers for 29 months until Google published it on the Chromium bug tracker on a Wednesday morning. Rebane initially believed this meant the flaw had finally been fixed. However, she soon learned it was still unpatched. Although Google later removed the post, it, along with the exploit code, is still accessible on archival sites. Google representatives did not immediately respond to inquiries regarding the publication, or if and when a fix would be available. Rebane, who has reported other Chrome and Chromium vulnerabilities that were subsequently patched, noted that long delays in fixes are common, though this instance was the longest. She suggested that because this exploit does not breach defined security boundaries, such as accessing emails or a computer, it might have been misunderstood or deprioritized by those assigned to it.

The exploit operates by leveraging the browser fetch API to open a service worker that remains continuously active. This connection is triggered by JavaScript running on a malicious website. Detecting such exploits can be particularly difficult when they run on Microsoft Edge. On Edge, the JavaScript might cause a downloads dropdown window to appear, but it won’t show any items, and the window will not reappear on subsequent browser launches. Chrome, however, exhibits a more persistent download dropdown. In either scenario, less experienced users are likely to dismiss this behavior as a minor bug, unaware their device has been compromised. A developer in the private bug disclosure thread observed that background fetch usage on Chrome is very low, averaging around “17 completed files per user per day,” which they considered “pretty solid confirmation that nothing awful is happening at scale” on Chrome. The extent of this feature’s use on other browsers is unknown, and Rebane doubts the vulnerability is actively being exploited against them. Nonetheless, the risk persists, and users of Chromium browsers should be wary of unexpected download dropdowns. Investigating the cause to confirm an exploit remains a complex task. Rebane confirmed that Brave, Opera, Vivaldi, and Arc are also vulnerable. Firefox and Safari are unaffected because they do not support the browser-fetching feature.

Ameen Akbar

Ameen Akbar is a seasoned technology editor, finance professional, and freelance writer with over two decades of diverse experience.

You might also like
News

These 4 details about iOS 27 leaked just before the Apple event.

News

Google Wallet Redesign Features Unveiled at I/O 2026

News

Exploring Alternative Search Engines as Google Overhauls Search

Artificial Intelligence

Gemini Spark Data Privacy: Is Google’s New AI Assistant Too Nosy?

Entertainment

Disneyland faces problems with its facial recognition: sued by guest

News

Google I/O: Google opts for agentic AI and comes with smart glasses

Exit mobile version