Google Publishes Chromium Exploit Code, Threatening Millions

Chromium exploit code that Google accidentally published on Wednesday now threatens millions of people using Chrome, Microsoft Edge, and virtually every other browser built on the Chromium engine. The proof-of-concept code had been sitting in a private bug tracker for years. Now it is public, and the underlying vulnerability remains unfixed. This Chromium exploit code can turn browsers into botnet nodes.

The Browser Fetch Loophole

The exploit targets the Browser Fetch programming interface, a web standard designed to let long videos and other large files download quietly in the background. It is a convenience feature most users never think about. But the code Google published shows how that convenience becomes a backdoor.

A malicious website can trigger the exploit through JavaScript. Once activated, it opens a service worker that stays persistently alive. The connection lets an attacker monitor aspects of a user's browser activity, use the compromised device as a proxy for viewing other sites, and launch denial-of-service attacks. Here is the part that makes this especially ugly: depending on the browser, the connection either reopens automatically or simply never closes, even after a full device reboot.

How the Attack Unfolds

The exploit essentially turns a compromised browser into a limited botnet node. A compromised device can be instructed to visit malicious sites, provide anonymous proxy browsing for other people, enable proxied DDoS attacks, and monitor user activity. The capabilities are constrained to whatever a browser can normally do. But the scale is what matters.

"The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out," said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022.

"The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out."

It's a coordinated network. An attacker could wrangle thousands, possibly millions, of devices into that network, and then, once a separate vulnerability surfaces, all those devices could be compromised in one sweep.

42 Months Without a Fix

Rebane reported the vulnerability privately 46 months ago. It sat unpatched for 42 months and counting. In the private disclosure thread, two Google developers separately called it a "serious vulnerability." It received a P1 priority rating, the second-highest classification, and an S2 severity rating, the third highest. Yet nothing happened.

Then Wednesday morning, the entire thread, including the exploit code, was published to the public Chromium bug tracker. Rebane initially assumed the vulnerability had finally been fixed. She was wrong. Shortly after, she learned it remained completely unpatched. Google removed the post, but the damage was done. The thread and the exploit code remain available on archival sites.

Why Patching Took So Long

Rebane reported multiple Chrome and Chromium vulnerabilities that led to patches, and she said long delays are normal, but she's offered a theory for why this particular flaw languished. This one set a record.

It's sort of nonstandard. So she said it didn't cross any defined security boundaries, meaning an attacker can't access your emails or computer, and Google's own people either got assigned or misunderstood, which made it take so long.

But that framing misses something. A vulnerability doesn't need to compromise your entire hard drive to be dangerous, but a botnet composed of browsers, even with limited capabilities, it's a serious infrastructure threat, and two Google developers acknowledged as much when they marked it 'serious' years ago, so the delay remains difficult to justify.

Every Chromium Browser at Risk

Any website a user visits can exploit this flaw. On Edge, the JavaScript might open a downloads dropdown window, but it adds no items to it. On later browser launches, the window disappears entirely. On Chrome, the download dropdown is more persistent. In both cases, less experienced users will likely dismiss it as a nuisance bug and never realize their device is compromised.

Rebane confirmed the following browsers are vulnerable:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi
• Arc

Two major browsers are safe from this particular threat:

• Firefox
• Safari

Both are unaffected. They don't support the Browser Fetch feature at all. But drilling into the cause of an unexplained download dropdown and connecting it to this exploit requires technical skill most don't have, Chromium users can't tell if their device has been roped into something malicious.

Is Active Exploitation Happening

She doubts it's active elsewhere. But in the private bug thread, a developer noted that usage logs for Chrome's background fetch feature are extremely limited, averaging only about 17 completed files per user per day.

"That's pretty solid confirmation that nothing awful is happening at scale."

That was written before the exploit code went public. The calculation changes now.

Google Responds, Quietly

Google representatives didn't immediately answer questions about how or why the vulnerability was published, but in a statement the company said it's aware of the code publication and working on a fix. That's all the public knows.

Rebane said deploying the published exploit code would be "pretty easy," though scaling it to build a large device network would require more effort, and the window between now and whenever Google ships a patch, it's the danger zone. Every Chromium user is exposed. But the exploit instructions are now circulating.

Chromium-based browser users, pay attention. But download dropdowns that appear without reason aren't a foolproof detection method, they're the only visible clue the source describes, and for now that slender warning is all anyone has.

Frequently Asked Questions

What is the Chromium exploit code that Google published?

Google released proof-of-concept exploit code for a high-severity vulnerability in Chromium, the open-source project behind Chrome and many other browsers.

Why did Google publish the exploit code?

Google published the code to push developers to patch their browsers quickly, as the vulnerability could be exploited to execute arbitrary code.

Which users are threatened by this exploit?

Millions of users of Chromium-based browsers, including Chrome, Edge, Opera, and Brave, are potentially at risk if they haven't updated their browsers.

How can users protect themselves from this exploit?

Users should immediately update their browsers to the latest version, which includes patches for the vulnerability.

Has the exploit been actively used in attacks?

As of the publication, there were no confirmed reports of active exploitation, but the release of the code increases the risk of attacks.