Google publishes exploit code threatening millions of Chromium users

Google on Wednesday published proof-of-concept code that exploits a previously unknown vulnerability in the Chromium browser codebase. The flaw affects millions of users of Google Chrome, Microsoft Edge, and virtually all other browsers built on Chromium. The exploit targets the Browser Fetch programming interface, a standard that enables the background downloading of large files, such as long videos.

By leveraging this vulnerability, an attacker could establish a connection to monitor certain aspects of a user's browser activity and use it as a proxy to view websites and launch denial-of-service attacks. Notably, these connections can persist even after the browser or device is rebooted. The vulnerability can be exploited by any website a user visits, effectively creating a limited backdoor that makes the device part of a botnet.

The capabilities of this exploit are constrained to the same actions a browser can perform, such as visiting malicious sites, providing anonymous proxy browsing, enabling proxied DDoS attacks, and monitoring user activity. Nevertheless, the exploit has the potential to allow an attacker to control thousands, possibly millions, of devices. While the current exploit is limited in its capabilities, it could serve as a precursor to a more comprehensive compromise.

If a separate vulnerability were to become available, an attacker could use it to compromise all the devices under their control. This could lead to a significant escalation of malicious activity. "The proof-of-concept code exploits the Browser Fetch programming interface," said Google.

The company did not provide an immediate fix or timeline for patching the vulnerability.