Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device.
The flaw was reported by security researcher Lyra Rebane and acknowledged as valid in December 2022, as per the thread on Chromium Issue Tracker.
An attacker could exploit the problem to create a malicious webpage with a Service Worker, such as a download task, that never terminates. Rebane says that this could allow an attacker to execute JavaScript code on the visitors’ devices.
“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet’, and people won’t be aware that JavaScript can be remotely executed on their device,” Rebane says in the original bug report.
Potential exploitation scenarios include using compromised browsers to launch distributed denial-of-service (DDoS) attacks, proxying malicious traffic, and arbitrarily redirecting traffic to target sites.
The issue impacts all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
Persistent bug
On October 26, 2024, a Google developer noticed that the issue was still open and described it as a “serious vulnerability” that needed a status update “to ensure that there’s progress.”
This year, on February 10, the issue was marked as fixed and reopened just a few minutes later due to several concerns.
Since it was a security problem, the labels for the bug were updated so it could go through the Chrome Vulnerability Rewards Program (VRP) Panel, and the issue was marked as fixed on February 12, although a patch had not been shipped.
An automated email informed Rebane that she had been awarded a bug bounty of $1,000.
All access restrictions on Chromium Issue Tracker were removed on May 20, since the bug had been closed for more than 14 weeks and marked as fixed in the system.
On the same day, Rebane tested the fix and noticed that the problem was still present in Chrome Dev 150 and Edge 148.
“Back in 2022, I found a bug that would let me, with no user interaction, turn any Chromium-based browser into a permanent JS botnet member,” the researcher said in a post yesterday.
“In Edge, you wouldn’t even notice anything out of place, and would stay connected to the C2 even after closing the browser.”
After noticing that the exploit still worked, the researcher realized that Google had likely published the details by mistake.
To make matters worse, the download pop up that appeared when triggering the exploit previously no longer comes up in the latest Edge, making the exploit even stealthier.
“OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS,” posted Rebane on Mastodon.
“Even worse, Edge no longer even makes the download menu pop up, so it’s completely silent JS RCE that keeps running even after you close the browser !! all from just visiting a single website once !!”
Although the issue was made private again, the exposure lasted long enough for the information to leak.
Rebane told Ars Technica that Google’s exposure would make exploitation “pretty easy,” however, scaling it into a large botnet is more complicated.
She also clarified that the bug does not bypass browser security boundaries and doesn’t give attackers access to the victim’s emails, files, or the host OS.
Given that the issue details have been leaked, the risk to a large number of users is significant, and Google will most likely treat this as urgent, releasing emergency fixes soon.
BleepingComputer has reached out to Google for a comment on this exposure, but we have not received a response by publication.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
