Google publishes exploit code for critical, unpatched Chromium flaw
The disclosure affects millions of users across Chrome, Edge, and other Chromium-based browsers, with researchers attributing the patching delay to internal misclassification.
Google published proof-of-concept exploit code on Wednesday for a critical, unpatched vulnerability in its Chromium browser codebase. The flaw, rated S1 as the second-highest severity classification, affects millions of users across Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. The disclosure comes 29 months after the issue was first reported to the company by independent researcher Lyra Rebane in late 2022.
The vulnerability leverages the Browser Fetch API, a standard interface that allows large files to be downloaded in the background. By invoking a persistent service worker through JavaScript on a malicious site, attackers can create connections that survive device reboots. These connections enable the monitoring of user activity, act as proxies for anonymous browsing, or facilitate denial-of-service attacks, effectively turning compromised devices into a limited botnet.
Rebane described the publication of the exploit code as nonstandard, noting that the issue had not passed through defined security boundaries and was likely misunderstood by the personnel assigned to it. While Google has since removed the post from its official bug tracker, the code remains accessible via archival sites. Representatives for Google did not immediately respond to inquiries regarding the reason for the premature publication or the timeline for a fix.
The exploit manifests differently depending on the browser. On Chrome, it causes a persistent download dropdown window, while on Edge, the window may open briefly without adding items to the download list. Less experienced users may mistake this behaviour for a nuisance bug rather than a security compromise. Exploits are particularly difficult to detect when run on Microsoft Edge.
Despite the severity of the flaw, internal logs suggest the issue is not currently being exploited at scale. A developer noted that background fetch usage on Chrome is extremely limited, with an average of approximately 17 completed files per user per day. Rebane stated that scaling the exploit to wrangle large numbers of devices into a single network would require significant additional work, though he warned that the vulnerability could serve as a backdoor for future attacks if combined with other exploits. Firefox and Safari remain unaffected as they do not support the Browser Fetch API.
