Google accidentally leaked information about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device.
The bug was reported by security researcher Lyra Rebane and acknowledged as working in December 2022, according to a thread on the Chromium Issue Tracker.
An attacker could use the vulnerability to create a malicious web page through the Service Worker, such as a download operation, which does not complete. Rebane says this could allow an attacker to execute JavaScript code on visitors’ devices.
“It makes sense to get tens of thousands of page views to create a ‘botnet’, and people won’t know that JavaScript can be executed remotely on their device,” Rebane said in the original bug report.
Possible exploit scenarios include using vulnerable browsers to launch distributed denial-of-service (DDoS) attacks, acting as a proxy for malicious traffic, and improperly redirecting traffic to target sites.
The issue affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
A persistent bug
On October 26, 2024, a Google developer noted that the issue was still open and described it as a “critical vulnerability” that required a status update “to ensure continuity.”
This year, on February 10, the issue was marked as fixed and opened after a few minutes due to many concerns.
Since it was a security issue, the bug’s labels were updated to pass the Chrome Vulnerability Rewards Program (VRP) Panel, and the issue was marked as fixed on February 12, although a patch had not yet been sent.
An automated email notified Rebane that he had been awarded a $1,000 bug bounty.
All access restrictions to the Chromium Issue Tracker were lifted on May 20, as the bug had been closed for over 14 weeks and marked as fixed in the system.
The same day, Rebane tested the fix and noticed that the problem was still there on Chrome Dev 150 and Edge 148.
“Back in 2022, I discovered a bug that would allow me, without user interaction, to turn any Chromium-based browser into a permanent member of the JS botnet,” the researcher said in a post yesterday.
“In Edge, you wouldn’t even see anything out of place, and you’d stay connected to C2 even after closing the browser.”
After realizing that the exploit was still active, the researcher realized that Google might have accidentally published the information.
To make matters worse, the pop up that appeared when triggering the previous use no longer appears in the latest Edge, making the exploit even worse.
“NO NO I JUST REALIZED THAT THIS IS REALLY WRONG AND IT’S STILL WORKING,” Rebane wrote on Mastodon.
“What’s worse, Edge doesn’t even show the download menu anymore, so it has completely disabled JS RCE which continues to run even after closing the browser!! all from one single website visit!!”
Although the matter was made secret again, the disclosure lasted long enough for information to leak.
Rebane told Ars Technica that Google’s exposure would make the exploit “very easy,” however, scaling it to a larger botnet is more complex.
He also clarified that the flaw does not bypass the browser’s security parameters and does not give attackers access to emails, files, or the host’s OS.
Considering that the details of the problem have been leaked, the risk to a large number of users is significant, and Google will likely treat this as urgent, issuing urgent fixes soon.
BleepingComputer reached out to Google for comment on the disclosure, but did not receive a response by publication.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
