An exposed Chromium browser flaw could negatively impact Microsoft Edge, Google Chrome, and other Chromium-based browsers, according to Android Authority. The issue is triggered by opening a malicious website.
Chromium is an open-source project that is the foundation for Google Chrome, Microsoft Edge, Brave, Opera, and other popular web browsers.
The Exposed Chromium Browser Flaw
The malware is difficult to detect because the attack occurs within the browser itself. Reportedly, the vulnerability involves Browser Fetch. This is a web standard that allows browsers to collect files in the background.
According to security researchers, attackers can establish long-lasting connections in the background between a Chromium browser and a remote server. In some cases, the connection remains after the user leaves the malicious website. Some Chromium-based browsers may even preserve the connection after the computer restarts.
The DIscovery
The issue was discovered by an independent security researcher, Lyra Rebane, who disclosed the issue privately to Google in 2022. Google engineers rated the concern an S2 severity; it remained unresolved for several months.
Rebane reports that eventually, Google opened the bug report without properly vetting how the issue would affect the web’s overall security.
Now, a proof-of-concept exploit is publicly available, and there are concerns that the remote players will more widely experiment with the technique.
Researchers warn the flaw may allow malicious websites to use browsers as proxy nodes for nefarious infrastructure. Reportedly, the exploit does not steal passwords, emails, or files directly, but exposes limited browsing-related data while assisting attackers in routing traffic through unsuspecting users.
Due to the fact that the virus operates within the browser itself, traditional antivirus tools could struggle to detect the activity, and it may go unnoticed by users.
Some Chromium browsers may show a downloads-related warning or pop-up without an actual file appearing; however, most users will likely dismiss the behavior as a browser glitch.
Currently, there is no reliable way for users to verify if their browser has been impacted, according to researchers. Additionally, there is no Chromium patch available at this time. The recent discovery raises concerns about modern browsers’ ability to handle long-running background activity.
The Response
Recently, Google disclosed a potentially dangerous bug in the Chromium web browser, and then quickly hid the discovery.
Rebane asserts that Google did not take any action for 46 months before publishing the details of the bug publicly. Later, Chrome developers quickly moved to close the report again, but the page was archived and accessible online.
Initially, Rebane believed Google had fixed the bug and then made the announcement public, but later realized the proof-of-concept remained functional and was not actually fixed.
In Google Chrome, creating a Service Worker triggers a download dialog, while Microsoft Edge responds with the same behavior but without notifying the user. Mozilla Firefox and Apple Safari do not support the Fetch API and are likely not affected by this issue.
Sources:
Windows Report: Chrome Botnet Flaw Could Let Malicious Websites Hijack Browsers in the Background
TechSpot: Google accidentally published a four-year-old Chromium security bug, then tried to hide it again
BleepingComputer: Google accidentally exposed details of unfixed Chromium flaw
Featured Image Courtesy of BMN Network’s Flickr Page – Creative Commons License
Discover more from Guardian Liberty Voice
Subscribe to get the latest posts sent to your email.