Google publishes exploit code threatening millions of Chromium users

Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers.

The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.

Unfixed for 29 months (and counting)

The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices.

“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out,” said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. She said using the exploit code Google prematurely published would be “pretty easy,” although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane’s disclosure to Google, two developers said in separate responses that it was a “serious vulnerability.” Its severity was rated S1, the second-highest classification.

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, she learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code.

Long delays are common

Rebane said she has reported multiple other Chrome or Chromium vulnerabilities that have resulted in patches. She said long delays in fixing them are common, although this instance was the longest.

“I think what happened is sort of nonstandard in that it does not get past any defined security boundaries,” she said. “So this does not let an attacker, for example, access your emails or your computer or something like that. I guess that led to [Google’s] own people getting assigned, or the people who were assigned not understanding it, and then that’s how it took such a long time.”

By exploiting the browser fetch API, the code opens a service worker that remains persistently active. The connection is invoked by JavaScript running on a malicious site. Exploits are particularly hard to detect when run on Edge. The JavaScript “might” open a downloads dropdown window, but it doesn’t add any items to it. On later browser launches, the window will no longer appear. On Chrome, the download dropdown is more persistent. In either case, less experienced users are likely to consider the behavior the result of a nuisance bug and have no idea their device is compromised.

In the private bug disclosure thread, a developer said that logs indicate that use of the background fetch feature is extremely limited on Chrome, with on average “~17 completed files per user per day.” “That’s pretty solid confirmation that nothing awful is happening at scale,” the developer wrote. It’s not known how widely used the feature is for browsers other than Chrome. Rebane said she doubts the vulnerability is being actively exploited against other browsers.

Nonetheless, the vulnerability poses a risk. Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason. Drilling into the cause and discovering they’re the result of the vulnerability being exploited remains more complicated. Other browsers Rebans confirmed as vulnerable include Brave, Opera, Vivaldi, and Arc. Both Firefox and Safari are unaffected because they don’t support the browser-fetching feature.