Google Leaks Exploit Code for Unfixed Chrome Vulnerability
Key Takeaways
- Google published exploit code for a vulnerability it hasn't fixed in 29 months
- The flaw affects all Chromium-based browsers including Chrome and Edge
- Attackers could use the exploit to build botnets and monitor user activity
Google on Wednesday published exploit code for a vulnerability in its Chromium browser codebase that it hasn't patched in over two years. The flaw threatens millions of people using Chrome, Microsoft Edge, and virtually every other Chromium-based browser.
The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows large files like videos to download in the background. An attacker can use the exploit to monitor aspects of a user's browser activity, proxy site visits through their device, and launch denial-of-service attacks.
How the Exploit Works
Any website a user visits can exploit the vulnerability. A successful compromise creates what amounts to a limited backdoor, making the device part of a botnet. The connections either reopen or stay open even after the browser or device reboots, depending on which browser is affected.
The capabilities are limited to what a browser can do: visiting malicious sites, providing anonymous proxy browsing for others, enabling proxied DDoS attacks, and monitoring user activity. But those limits still let an attacker wrangle thousands or millions of devices into a network.
“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out.”
— Lyra Rebane, independent security researcher who discovered the vulnerability
Rebane privately reported the vulnerability to Google in late 2022. He said using the now-published exploit code would be "pretty easy," though scaling it to control large numbers of devices would require more work. Once a separate vulnerability becomes available, an attacker could use their existing botnet to compromise all those devices at once.
A Serious Vulnerability, Left Unpatched
In the thread of Rebane's disclosure to Google, two developers said in separate responses that it was a "serious vulnerability." Its severity was rated S1, the second-highest classification in Google's system.
For 29 months, the vulnerability remained unknown to anyone except Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly after, he learned it remained unpatched.
Google removed the post, but it remains available on archival sites, along with the exploit code. Google representatives did not immediately respond to questions about how and why it published the vulnerability, or when a fix would become available.
Long Delays Are Common, But This Is Extreme
Rebane said he has reported multiple other Chrome or Chromium vulnerabilities that resulted in patches. Long delays in fixing them are common, but this instance was the longest he's experienced.
The accidental publication creates a classic security nightmare. Security researchers typically give companies 90 days to patch vulnerabilities before public disclosure. Google's own Project Zero team enforces this deadline strictly. Yet Google has now accidentally exposed its own users to an S1-rated vulnerability that it has sat on for nearly 30 months.
Logicity's Take
What Users Can Do Now
There is no patch available. Users of Chrome, Edge, Brave, Opera, and other Chromium-based browsers are affected. Until Google issues a fix, standard security hygiene applies: avoid suspicious websites, keep browsers updated for when a patch does arrive, and consider using browser extensions that block background connections to unfamiliar domains.
More on Google's recent moves and their impact on users
Frequently Asked Questions
Which browsers are affected by the Chromium vulnerability?
All Chromium-based browsers are affected, including Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.
Is there a patch available for the Browser Fetch vulnerability?
No. As of publication, Google has not released a patch despite the vulnerability being reported 29 months ago.
What can attackers do with this Chrome exploit?
Attackers can monitor browser activity, use your device as a proxy for anonymous browsing, and launch denial-of-service attacks. The connection persists even after browser or device reboots.
How did the exploit code become public?
Google accidentally published it to the Chromium bug tracker on Wednesday. Though removed, it remains available on archival sites.
How can I protect myself from this vulnerability?
No fix exists yet. Avoid suspicious websites, keep your browser updated for when a patch arrives, and consider extensions that block background connections to unknown domains.
Need Help Implementing This?
Source: Ars Technica
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Kansas City Goes All-Apple, Buys 4,500 MacBook Neos
Kansas City Public Schools is replacing more than 30,000 Windows PCs and Chromebooks with Apple devices. The district has already purchased over 4,500 MacBook Neo laptops for students in 8th grade and above, paying $499 per unit through education pricing.
Which AI Models Work Best in Zapier Automation Workflows?
Zapier now supports AI models from OpenAI, Anthropic, and Google for workflow automation. The company built AutomationBench, a public benchmark that tests how well models handle real multi-step business tasks rather than simple prompts.
SonicWall VPN MFA Bypass: Patching Alone Isn't Enough
Hackers are bypassing multi-factor authentication on SonicWall Gen6 VPN appliances despite firmware updates. The problem: admins aren't completing required manual reconfiguration steps, leaving devices vulnerable to credential-based attacks linked to ransomware operations.