Recently, Google inadvertently disclosed information about a persistent issue in Chromium that allows JavaScript to continue running in the background even after the browser is closed, potentially enabling remote code execution on the affected device.
The security vulnerability was initially identified by researcher Lyra Rebane and was officially recognized as valid in December 2022, as documented in the Chromium Issue Tracker.
Exploiting the flaw could involve creating a malicious webpage with a Service Worker that never stops, like a download task, which could then be utilized by an attacker to execute JavaScript code on unsuspecting visitors’ devices.
In the original bug report, Rebane expressed concerns about the potential of creating a ‘botnet’ by exploiting the flaw, highlighting the alarming prospect of remote JavaScript execution without user knowledge.
Various malicious activities could be carried out through exploiting this vulnerability, such as launching distributed denial-of-service (DDoS) attacks, redirecting traffic to malicious sites, and proxying harmful traffic.
It’s important to note that this issue affects all browsers based on Chromium, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
On October 26, 2024, a Google developer flagged the ongoing status of the issue, emphasizing its severity as a vulnerability that required immediate attention to ensure progress towards resolution.
In February 2024, the problem was marked as fixed, only to be reopened shortly after due to unresolved concerns.
Given the security implications, the bug’s labels were updated to facilitate its review through the Chrome Vulnerability Rewards Program (VRP) Panel, with the final fix officially implemented on February 12, despite the absence of a deployed patch.
Following the resolution, Rebane was notified via an automated email that she had been granted a bug bounty of $1,000.
Access restrictions on the Chromium Issue Tracker were lifted on May 20, as the bug had remained closed for over 14 weeks and was marked as resolved within the system.
However, on the same day, Rebane verified that the issue persisted in Chrome Dev 150 and Edge 148, indicating that the fix had not completely addressed the underlying problem.
Reflecting on the situation, Rebane recalled the discovery of the bug back in 2022 and highlighted the potential for turning any Chromium-based browser into a permanent JavaScript botnet member without user interaction.
Despite efforts to address the flaw, the exploit still functioned, prompting Rebane to suspect that Google inadvertently disclosed crucial details about the issue.
Furthermore, the absence of the download pop-up in the latest Edge version made the exploit even more discreet and challenging to detect.
Expressing concern over the situation, Rebane shared her realization on Mastodon, emphasizing the persistent threat posed by the exploit that could silently execute JavaScript code even after the browser is closed.
Although the bug was eventually made private again, the exposure period was sufficient for critical information to be leaked to potential threat actors.
Regarding the potential exploitation, Rebane acknowledged that Google’s inadvertent disclosure could significantly facilitate attacks, making it easier for malicious actors to exploit the vulnerability.
However, she clarified that the bug did not circumvent browser security boundaries or grant attackers access to sensitive data like emails, files, or the host operating system.
Given the severity of the situation, the widespread risk to users, and the inadvertent exposure, Google is likely to prioritize addressing the issue promptly by releasing emergency fixes.
BleepingComputer reached out to Google for a statement on the incident but had not received a response at the time of publication.
Automated penetration testing tools offer valuable insights, but they primarily focus on assessing network traversal capabilities rather than evaluating the effectiveness of your security controls, detection rules, or cloud configurations.
Discover the 6 crucial areas that require validation to enhance your cybersecurity posture.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
