Google has disclosed details regarding a critical vulnerability impacting browsers built on the Chromium engine. This includes popular browsers like Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc, as reported by Ars Technica.
Security researcher Lyra Rebane initially informed Google about the vulnerability in late 2022. However, after a period of 29 months, the issue remains unpatched. According to the expert, the published code enables malicious actors to maintain a persistent connection with a user’s browser via service workers, triggered by JavaScript code on a compromised website.
This vulnerability effectively transforms a user’s device into a component of a limited botnet. Through this, attackers can leverage the browser as a proxy for anonymous website access, orchestrate DDoS attacks, and monitor specific aspects of user activity. In some browsers, the connection persists even after program or device restarts.
Rebane pointed out that exploiting the disclosed code doesn’t necessitate complex preparations, although scaling the attack to a large number of devices would require additional resources. Within Google, the issue was categorized as an S1 vulnerability, the second most critical severity level.
Malicious exploitation within Microsoft Edge presents a particular challenge for detection. The malicious script can trigger the appearance of a blank download window, which then ceases to display after the browser is restarted. In Google Chrome, the download indicator is more noticeable, yet most users would likely interpret such behavior as a common glitch.
Google later deleted the message containing the exploit code, presumably after realizing that a fix had not yet been implemented. Concurrently, a Chromium developer indicated that the background download feature has limited usage, suggesting a lack of widespread exploitation of the vulnerability.
It is noted that the issue is linked to the Browser Fetch API, a mechanism for background downloading of large files and video content. Consequently, this vulnerability does not affect Mozilla Firefox and Safari, as these browsers do not support Browser Fetch.
About the Author
