Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google on Wednesday published a vulnerability code in its Chromium browser that threatens millions of people who use Chrome, Microsoft Edge, and all other Chromium browsers.
The proof-of-concept code uses the Browser Fetch feature, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use this vulnerability to create connections to monitor browser usage and as a proxy for web browsing and to launch denial-of-service attacks. Depending on the browser, the links are re-opened or remain open even after they are terminated or the device running them is restarted.
Fixed for 29 months (and counting)
A random attack can be used by any website the user visits. Instead, phishing acts as a backdoor that makes a device part of a limited botnet. Capabilities are limited to things a browser can do, such as visiting malicious websites, providing anonymous proxy browsing, launching DDoS attacks, and monitoring user activity. However, an exploit could allow an attacker to compromise thousands, perhaps millions, of devices on the network. Once another vulnerability is discovered, the attacker can use it to compromise all of the devices.
“The danger here is that you can only have as many browsers in the future as you can think of,” said Lyra Rebane, an independent researcher who discovered the vulnerability and told Google confidentially in late 2022 in an interview. He added that using Google’s pre-published code “could be easier,” though scaling up multiple devices on a single network would require more work. On Rebane’s announcement at Google, two developers responded differently that it was “a serious threat.” The risk is rated S1, the second highest category.
Since the first report 29 months ago, the vulnerability has not been identified except by Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. At first Rebane thought that insecurity was fixed. Soon, he learned that, in fact, it did not have a patch. While Google removed the post, it remains on the archived pages, along with the exploit code.
