Google Leaks Exploit Code for Unfixed Chrome Vulnerability

Key Takeaways

• Google published exploit code for a vulnerability it hasn't fixed in 29 months
• The flaw affects all Chromium-based browsers including Chrome and Edge
• Attackers could use the exploit to build botnets and monitor user activity

Google on Wednesday published exploit code for a vulnerability in its Chromium browser codebase that it hasn't patched in over two years. The flaw threatens millions of people using Chrome, Microsoft Edge, and virtually every other Chromium-based browser.

The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows large files like videos to download in the background. An attacker can use the exploit to monitor aspects of a user's browser activity, proxy site visits through their device, and launch denial-of-service attacks.

How the Exploit Works

Any website a user visits can exploit the vulnerability. A successful compromise creates what amounts to a limited backdoor, making the device part of a botnet. The connections either reopen or stay open even after the browser or device reboots, depending on which browser is affected.

The capabilities are limited to what a browser can do: visiting malicious sites, providing anonymous proxy browsing for others, enabling proxied DDoS attacks, and monitoring user activity. But those limits still let an attacker wrangle thousands or millions of devices into a network.

“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out.”

— Lyra Rebane, independent security researcher who discovered the vulnerability

Rebane privately reported the vulnerability to Google in late 2022. He said using the now-published exploit code would be "pretty easy," though scaling it to control large numbers of devices would require more work. Once a separate vulnerability becomes available, an attacker could use their existing botnet to compromise all those devices at once.

A Serious Vulnerability, Left Unpatched

In the thread of Rebane's disclosure to Google, two developers said in separate responses that it was a "serious vulnerability." Its severity was rated S1, the second-highest classification in Google's system.

For 29 months, the vulnerability remained unknown to anyone except Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly after, he learned it remained unpatched.

Google removed the post, but it remains available on archival sites, along with the exploit code. Google representatives did not immediately respond to questions about how and why it published the vulnerability, or when a fix would become available.

Long Delays Are Common, But This Is Extreme

Rebane said he has reported multiple other Chrome or Chromium vulnerabilities that resulted in patches. Long delays in fixing them are common, but this instance was the longest he's experienced.

The accidental publication creates a classic security nightmare. Security researchers typically give companies 90 days to patch vulnerabilities before public disclosure. Google's own Project Zero team enforces this deadline strictly. Yet Google has now accidentally exposed its own users to an S1-rated vulnerability that it has sat on for nearly 30 months.

What Users Can Do Now

There is no patch available. Users of Chrome, Edge, Brave, Opera, and other Chromium-based browsers are affected. Until Google issues a fix, standard security hygiene applies: avoid suspicious websites, keep browsers updated for when a patch does arrive, and consider using browser extensions that block background connections to unfamiliar domains.

Frequently Asked Questions

Which browsers are affected by the Chromium vulnerability?

All Chromium-based browsers are affected, including Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.

Is there a patch available for the Browser Fetch vulnerability?

No. As of publication, Google has not released a patch despite the vulnerability being reported 29 months ago.

What can attackers do with this Chrome exploit?

Attackers can monitor browser activity, use your device as a proxy for anonymous browsing, and launch denial-of-service attacks. The connection persists even after browser or device reboots.

How did the exploit code become public?

Google accidentally published it to the Chromium bug tracker on Wednesday. Though removed, it remains available on archival sites.

How can I protect myself from this vulnerability?

No fix exists yet. Avoid suspicious websites, keep your browser updated for when a patch arrives, and consider extensions that block background connections to unknown domains.

Source: Ars Technica