Google posts Chromium browsers' proof-of-concept exploit code without a fix

Google inadvertently published working exploit code for a critical, unpatched vulnerability in Chromium-based browsers, including Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. The issue, disclosed in a now-removed Chromium bug tracker post, abuses the Background Fetch API to create persistent browser connections that survive restarts, allowing attackers to hijack sessions for proxy browsing or DDoS attacks if users visit a malicious site. The vulnerability was first reported by security researcher Lyra Rebane in late 2022 and internally classified as high-priority by Google. Despite this, it remained unfixed for over 42 months, with Rebane noting long delays in Chromium security patches. While the exploit does not grant system-level access, researchers warn large-scale abuse could still pose significant risks. Affected browsers rely on Chromium’s Background Fetch feature, while Firefox and Safari are unaffected due to their lack of support for this functionality. The exploit triggers via malicious JavaScript, potentially creating hidden background connections, though some browsers may briefly show suspicious download prompts. Google later deleted the post but confirmed it is working on a patch. There is no evidence of widespread exploitation yet, though the accidental release of exploit code increases the risk of attackers weaponizing the flaw before a fix is deployed. The company has not provided a timeline for resolution.