Google releases exploit code endangering millions of Chromium users

Google has released exploit code for a critical, unpatched vulnerability in the Chromium browser codebase, putting hundreds of millions of users at risk. The flaw affects Google Chrome, Microsoft Edge, and virtually every other browser built on the Chromium engine.

The proof-of-concept exploit targets the Browser Fetch programming interface, a standard designed to handle background downloads of large files like long videos. Attackers can weaponize this flaw to establish a persistent connection that monitors certain browser activity, acts as a proxy for browsing other sites, and launches denial-of-service (DDoS) attacks. In some browsers, these connections either automatically reopen or remain active even after the browser or the device has been rebooted.

The vulnerability has remained unpatched for 29 months, and there is no fix in sight. Any website a user visits can trigger the exploit, effectively turning the victim’s device into a limited botnet node. While the attacker’s capabilities are confined to what a browser can do,such as visiting malicious sites, providing anonymous proxy browsing, enabling proxied DDoS attacks, and monitoring user activity,the risk is significant. An attacker could wrangle thousands, or even millions, of devices into a network. Once a separate vulnerability is discovered, that same network could be used to compromise all those devices more deeply.