Google on Wednesday released exploit code for an unpatched vulnerability in the code base of its Chromium browser that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers.
The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection to monitor some aspects of a user’s browser usage and as a proxy to view sites and launch denial-of-service attacks. Depending on the browser, connections are reopened or remain open even after it or the device running it has been restarted.
Unfixed for 29 months (and counting)
The unpatched vulnerability can be exploited by any website a user visits. In effect, a compromise is equivalent to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visiting malicious sites, providing anonymous proxy browsing by others, enabling proxy DDoS attacks, and monitoring user activity. However, the exploit could allow an attacker to introduce thousands, possibly millions, of devices into a network. Once a separate vulnerability is available, the attacker could use it to compromise all of those devices.
“The dangerous part here is that you can have many different browsers together and in the future you will be able to run something that you discover,” said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code that Google prematurely released would be “pretty easy,” although scaling it to bring together a large number of devices on a single network would require more work. In the thread of Rebane’s disclosure to Google, two developers said in separate responses that this was a “serious vulnerability.” Its severity was rated as S1, the second highest classification.
Since its report 29 months ago, the vulnerability remains unknown except to Chromium developers. Then on Wednesday morning it was posted to the Chromium bug tracker. Rebane initially assumed the The vulnerability was finally fixed. Shortly after, he learned that it was, in fact, still unpatched. While Google removed the post, it is still available on archive sites, along with the exploit code.
