In a recent incident, Google accidentally exposed public access to a report detailing an exploit for a vulnerability in the Chromium engine that has not yet been fixed. The report, which can be accessed through a public link, contains a thorough explanation and example of the exploit. The vulnerability was deemed dangerous, and the researcher who discovered it was awarded $1000 for bringing it to light. The issue was first reported in 2022, and discussions on resolving it have been ongoing, with the implementation of new limits on continuous loading being required.
The vulnerability allows for the execution of a background JavaScript handler (Service Worker) to persist even after the browser window is closed. This loophole enables an attacker to maintain constant control over the browser, allowing them to download and execute malicious JavaScript code at any time within the context of their page. The attack involves tricking the browser into running the exploit on the attacker’s page, even after the browser has been updated with fixes for vulnerabilities.
The researcher who uncovered the vulnerability warned that it could be exploited to create a botnet of browsers, allowing attackers to remotely execute JavaScript code on users’ devices without their knowledge. This botnet, even without exploiting additional vulnerabilities, could be utilized for DDoS attacks and routing malicious traffic through compromised systems. The issue impacts all browsers that are based on the Chromium engine, posing a significant threat to user privacy and security.