Google posts Chromium browsers' proof-of-concept exploit code without a fix

Chrome, Edge, Brave, Opera, and other Chromium-based browsers could reportedly be exposed to abuse after Google accidentally revealed exploit code for an unfixed vulnerability

Google has accidentally exposed proof-of-concept exploit code for a serious unpatched vulnerability affecting Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, and several other Chromium-based browsers before later deleting the disclosure from its Chromium bug tracker. According to a report by Ars Technica, the vulnerability had remained privately known to Google for more than 42 months after being reported in late 2022.

 

The accidentally published post reportedly included working exploit code capable of abusing Chromium’s Background Fetch API to establish persistent browser connections that can survive browser or device restarts in certain cases.

 

As per the report, the flaw can reportedly be triggered simply by visiting a malicious website. Once exploited, attackers may use the compromised browser session as part of a limited botnet capable of anonymous proxy browsing, monitoring certain browser activity, or launching distributed denial-of-service (DDoS) attacks. Ars Technica noted that the exploit does not provide direct system-level access, but researchers warned that large-scale abuse could still become dangerous if attackers combine it with future vulnerabilities.

Vulnerability remained unpatched for years

The report states that independent security researcher Lyra Rebane privately disclosed the issue to Google in late 2022 after discovering that Chromium’s Background Fetch API could be abused to keep service workers persistently active in the background. According to Ars Technica, Google internally classified the flaw as a high-priority issue, with developers reportedly describing it as a “serious vulnerability.”

 

Despite this, the issue reportedly remained unresolved for years. Rebane told Ars Technica that long delays in Chromium security fixes are common, but this was reportedly the longest delay she had encountered. She also stated that the exploit would be “pretty easy” to use, although building a large-scale browser network around it would require additional effort.

Browsers affected, Firefox and Safari safe

According to the report, the vulnerability impacts browsers that support Chromium’s Background Fetch feature. It specifically identified Chrome, Edge, Brave, Opera, Vivaldi, and Arc as affected browsers. Mozilla Firefox and Apple Safari are reportedly not vulnerable because they do not support the same browser-fetching functionality.

 

The exploit works by using malicious JavaScript to silently create persistent browser connections in the background. On some browsers, suspicious download dropdown windows may briefly appear, although researchers warned that many users would likely dismiss such behaviour as a minor browser glitch instead of a security compromise.

Google says a fix is coming

Ars Technica reported that the Chromium bug tracker post exposing the exploit code was later removed by Google, although archived copies reportedly remain accessible online. Google has acknowledged awareness of the disclosure and reportedly stated that it is working on a patch for the issue.

 

The report added that there is currently no confirmed evidence of widespread active exploitation. However, researchers reportedly warned that the accidental publication of working exploit code before a fix becomes available could increase the risk of attackers attempting to automate or weaponise the vulnerability at scale.