Google publishes Chromium exploit code

Google has published proof-of-concept exploit code for a still-unfixed Chromium vulnerability, according to a public bug report and a May 22 report by Cyber Security News. The issue affects Chromium-based browsers because it sits in Chromium’s codebase, the open-source project used by Google Chrome, Microsoft Edge and others. Researcher Lyra Rebane first reported the flaw in late 2022, and the bug remained open more than 42 months later, according to the report. Chromium’s own security documentation says proof-of-concept code is a normal part of vulnerability reporting, but Chrome’s update guidance also says unpatched and newly disclosed flaws can raise risk for users who do not update quickly when fixes arrive. ### What exactly was published? Google’s Chromium project allows researchers to submit bug reports with technical details, reproduction steps and proof-of-concept material, according to Chromium security documentation. In this case, the public issue describes a “Unicode Homoglyph Path Injection in Native Messaging Manifest” and includes a warning from the reporter that technical details are now essentially public while the vulnerability remains unpatched. (cybersecuritynews.com) Cyber Security News separately reported on May 22 that exploit code had been made public for a critical Chromium bug that could be abused through browser behavior. ### Which Chromium behavior is at the center of the risk? Cyber Security News said the flaw involves Chromium’s Background Fetch feature, which lets downloads continue through service workers. Rebane said that mechanism could be abused to create never-ending background tasks that maintain communication with attacker-controlled infrastructure. The report said a malicious or compromised website could use that behavior to keep a covert channel open from a victim’s browser, with some implementations potentially persisting even after the browser is closed or the system is rebooted. (issues.chromium.org) ### Why does a proof-of-concept matter if there is no patch yet? Chromium’s security process encourages reporters to include proofs of concept because they help demonstrate that a bug is real and reproducible. But the same public disclosure can lower the barrier for other researchers — and potentially attackers — to study the flaw once technical details are visible. The reporter on the public issue said the attack complexity was low and named affected software categories including password managers, crypto wallets and enterprise security tools. (cybersecuritynews.com) That issue tracker note is the clearest available indication of why the disclosure is drawing attention before a fix. ### Which browsers and users could be exposed? Chromium is the codebase behind Google Chrome and many other browsers, so a Chromium bug can affect multiple products until each vendor ships a fix. Cyber Security News said the exposure could extend across Chrome, Microsoft Edge and other Chromium-based browsers. The report also said the exploit could turn a browser into a limited botnet node through a website visit, though it noted the activity would still be constrained by browser sandboxing. (chromium.googlesource.com) ### What should security teams watch now? Chrome’s security update guidance says almost all Chrome updates contain security fixes and should be prioritized equally. The company says stable milestones are released every four weeks, with refresh releases in between and unscheduled updates for critical issues or known exploitation. For teams using browser-based automation or agent workflows, the next concrete step is to monitor Chromium’s public issue tracker for status changes and browser vendor release channels for a patch tied to the disclosed bug. (cybersecuritynews.com) (chromium.googlesource.com)