Google accidentally publishes exploit code for unfixed Chromium vulnerability
Original: Google publishes exploit code threatening millions of Chromium users
Why This Matters
Demonstrates critical browser security gaps affecting millions of users worldwide
Google published exploit code for a 42-month-old unfixed vulnerability affecting Chromium browsers including Chrome and Edge. The Browser Fetch vulnerability allows websites to create backdoor connections for monitoring and DDoS attacks.
Google accidentally published exploit code Wednesday for an unfixed vulnerability in Chromium that affects millions using Chrome, Microsoft Edge, and other Chromium-based browsers. The vulnerability, reported by researcher Lyra Rebane in late 2022, exploits the Browser Fetch interface to create persistent connections that remain active even after browser or device reboots. Attackers can use compromised devices for proxy browsing, DDoS attacks, and monitoring user activity, effectively creating a limited botnet. The vulnerability was rated P1 priority and S2 severity by Chromium developers who called it a 'serious vulnerability.' Despite being reported 46 months ago, it remains unpatched. Google removed the post after realizing the mistake, but the exploit code remains available on archival sites. The company stated it's working on a fix.