Google accidentally exposed details of unfixed Chromium flaw
BleepingComputer • • general
Key Points:
- A critical vulnerability in Chromium-based browsers allows JavaScript to run persistently in the background after the browser is closed, enabling remote code execution on users' devices through malicious webpages using Service Workers.
- The flaw, reported by security researcher Lyra Rebane in 2022 and acknowledged by Google, remains unpatched despite being marked as fixed, with recent tests confirming the exploit still works in Chrome Dev and Microsoft Edge.
- This issue affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc, potentially enabling attackers to build botnets, launch DDoS attacks, proxy malicious traffic, and redirect users to harmful sites.
- Details of the vulnerability were accidentally made public by Google, increasing the risk of widespread exploitation, although the bug does not grant access to users' emails, files, or operating system.
- Google has yet to respond publicly, but given the severity and exposure of the flaw, an urgent security patch is expected to be released soon.