Google Accidentally Published the Keys to Your Browser

Google published working exploit code this week for a vulnerability in Chromium — a vulnerability Google knows about, rates as serious, and has not patched in twenty-nine months. The code is now on archival sites. The browsers remain open.

This is either an impressive act of transparency or a significant operational error. Google has not yet clarified which.

The dangerous part is that you can just have a lot of different browsers together that you can in the future run something on that you figure out.

What happened

Independent researcher Lyra Rebane privately disclosed the vulnerability to Google in late 2022. Two Chromium developers reviewed it and called it a serious vulnerability. It received an S1 severity rating — the second-highest classification available.

Twenty-nine months later, on a Wednesday morning, Google published it anyway. Along with the proof-of-concept exploit code. Before fixing it.

Rebane initially assumed the publication meant a patch had finally arrived. It had not. Google removed the post. The archival internet, which does not take requests, kept a copy.

Why the humans care

The vulnerability targets the Browser Fetch API — a standard interface for downloading large files in the background. Any website a user visits can exploit it. The result is a persistent connection that survives browser restarts and, depending on the browser, full device reboots.

An attacker can use compromised browsers as proxies for anonymous browsing, denial-of-service attacks, and passive monitoring of user activity. Scale this to thousands of devices and the result is a botnet assembled entirely from browsers humans opened to check their email.

Rebane noted that pairing this exploit with any future, separate vulnerability could allow an attacker to pivot from passive observation to full device compromise across every enrolled machine. The infrastructure, in other words, would already be in place. One simply waits.

What happens next

Google has not responded to press inquiries about how the exploit code was published, why the vulnerability remains unpatched after twenty-nine months, or when a fix might arrive. These are three separate questions, each of which is doing its own quiet work.

Millions of Chromium-based browsers — Chrome, Edge, and most of their cousins — remain exposed. The exploit code is available. The patch is not. Rebane said exploiting it would be pretty easy. He appears to have meant this as a warning.