Google publishes exploit code before patch, reported 29 months earlier, is fixed.
See full article...
See full article...
Google publishes exploit code threatening millions of Chromium users
- Thread starter JournalBot
- Start date
ConnertheCat
Ars Centurion
I thought Google had a 90 day policy on publishing these things; interesting to know why this got an extra 26 months.
Upvote
77
(78
/
-1)
No, it's beyond the time that the multi-trillion dollar company should have fixed their shit.
Upvote
92
(92
/
0)
Hold on, hold on....Google just published a PoC exploit that demonstrates a compromise of one of its own products? What's the expectation here...that if Google pushes the exploit it'll light a fire under Google to fix this Google code because previously Google was ignoring the findings from Google? Do I have that right?
Upvote
130
(132
/
-2)
Hey cool article, when I opened up Vivaldi this morning the download tab opened but was empty. Given that
Is there any reliable way to unfuck my browser? I have rebooted the computer, but I did see the download window open at least twice between yesterday and today.
Edit: I went to chrome://serviceworker-internals/ and the only ones with a status of RUNNING are from extensions or specific browser tabs I have open. So maybe on Vivaldi it doesn't persist between reboots?
Is there any reliable way to unfuck my browser? I have rebooted the computer, but I did see the download window open at least twice between yesterday and today.
Edit: I went to chrome://serviceworker-internals/ and the only ones with a status of RUNNING are from extensions or specific browser tabs I have open. So maybe on Vivaldi it doesn't persist between reboots?
Last edited:
Upvote
12
(12
/
0)
Google isn't monolithic. It's entirely possible that the exploit post was the result of internal political infighting between Google's security and Chrome teams.
Upvote
22
(25
/
-3)
I shall assume AI is partially to blame for the publication unless they assure us it isn't, at which time I will assume AI is wholly responsible.Dan Goodin said:
Upvote
36
(41
/
-5)
Sounds like it was a mistake to make the issue public; once attention was drawn to it, they made it private again. Dan linked to the conversation here: https://infosec.exchange/@rebane2001/116606719764376414
Reading through it is quite the emotional rollar coaster:
Upvote
62
(62
/
0)
Upvote
16
(17
/
-1)
Upvote
15
(15
/
0)
Apparently Google knew that this API was little-used and hard to maintain, and had decided to deprecate it late last year before being talked out of it:
https://groups.google.com/a/chromium.org/g/blink-dev/c/CpXXaJh5Rq8
I wonder if they never fixed the bug because they intended to deprecate & remove, but then didn't re-prioritize it when the decision was made to keep the API?
https://groups.google.com/a/chromium.org/g/blink-dev/c/CpXXaJh5Rq8
I wonder if they never fixed the bug because they intended to deprecate & remove, but then didn't re-prioritize it when the decision was made to keep the API?
Upvote
49
(50
/
-1)
What the actual fuck? Nobody thought this could lead to more problems than usefulness?
Upvote
14
(14
/
0)
come on we all know the answer to this in this post Patriot act world.
Upvote
3
(3
/
0)
Subtitle:
I don’t think the patch was reported 29 months ago and hopefully that patch won’t need to be fixed once it is (finally) released.
Upvote
-4
(1
/
-5)
Only if they can get thousands if not millions of users to browse to their bad web site. That seems a bit of a hurdle.
Upvote
-7
(0
/
-7)
Maybe we can get more people away from Chromium browsers now. Firefox is a great alternative.
Upvote
5
(7
/
-2)
You seem to underestimate the willingness and ability of bad actors to exploit the most common browser engine in the world (now that a know exploit is available to them). I would prefer that they don't get handed the keys to the castle, even if there is a moat in front of it.
Upvote
15
(16
/
-1)
"less experienced users are likely to consider the behavior the result of a nuisance bug and have no idea their device is compromised"
Rebane says it can't access your computer. So how can your device be compromised?
Rebane says it can't access your computer. So how can your device be compromised?
Upvote
2
(2
/
0)
Lyra Rebane
Smack-Fu Master, in training
yeah, i let them know, hope they fix it soon (or at least faster than the chrome bug)
Upvote
35
(35
/
0)
It's not the case here, but Project Zero, Google's red team, routinely publishes vulnerabilities impacting Google services or products that haven't been patched yet (in particular Android has been hit several times). In fact this recent blog post mentions that a recent bug was the first one this team member had that was actually patched before their 90 day disclosure window https://projectzero.google/2026/05/pixel-10-exploit.html
Upvote
16
(16
/
0)
So they are happy to shit on any other company who doesn't meet their arbitrary timeline for fixing issues but they will sit on their own slop for 29 months and it only came to light because the ACCIDENTALLY published it? JFC Google sucks these days.
Upvote
10
(12
/
-2)
Search & destroy of anything remotely related to Google is handled by a twice-a-day script on every device I own. I can't ethically involve myself with a company whose core business model is spying on individuals the better to propagandize them.
It's remarkably old fashioned of me, but nothing compared to the hours I spend listening to baroque opera.
It's remarkably old fashioned of me, but nothing compared to the hours I spend listening to baroque opera.
Upvote
5
(6
/
-1)
Why would anyone expect Firefox or Safari to be vulnerable since they're completely different browsers with no code based in common?
Upvote
-7
(2
/
-9)
Upvote
5
(5
/
0)
It can’t access the computer, but it could cause it to load a pdf or image that exploits a vulnerable parser to escape the browser sandbox and run code that could access the computer.
Upvote
1
(1
/
0)
Doesn't deprecate mean "not encouraged to use", so it would still be there (unfixed)?
Upvote
0
(0
/
0)
And just as more and more websites work properly only on Chrom{e,ium}.
Upvote
-4
(1
/
-5)
Upvote
3
(3
/
0)
Unknown to the general public. It's unprovable no one else knew, especially in the current environment where anyone can run the Chromium code base through their favorite LM looking for vulnerabilities. You better believe the TLAs and organized cyber gangs are looking at every popular program in detail utilizing their own pet language models cataloging vulnerabilities to pull out when the occasion presents itself. Only they aren't advertising what they find.
This is what the software world is struggling with right now. The concept of the security embargo for people to rush out patches to users is dead. Vulnerabilities aren't just getting discovered faster, they're being discovered by multiple investigators within hours or days of each other, all of which are eager to preach their discovery or to exploit it themselves. It's impossible to sit on these bugs and make splashy headlines as the discoverer of "Heartbleed", or "Spectre", etc. That's dying in a L/SLM fueled fire.
Upvote
-1
(0
/
-1)
Service workers is an API that expands on cookies and instead of storing data on you browser stores a program running in a secret hidden tab in your browser, and since nobody talks about them, does this without any confirmation, ckeanup, or oversight. Can also intercept and redirect navigations. This is all by intentional design not even the exploit. It is what makes it possible for websites to keep working when temporarily offline, and also what makes mailto links redirect to your in browser webmail.
Using fetch from there is just working as "intended".
Using fetch from there is just working as "intended".
Upvote
1
(1
/
0)