Google Releases Exploit Code for Unpatched Chromium Vulnerability, Exposing Millions to Botnet Risks
Google has published proof-of-concept (PoC) exploit code for a critical, unpatched vulnerability in the Chromium codebase, leaving users of Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers vulnerable to stealthy botnet-style attacks. The flaw, reported in late 2022 by security researcher Lyra Rebane, remains unresolved after more than 42 months, despite its Priority 1 (P1) and Severity 2 (S2) classification within Chromium’s internal framework.
The vulnerability resides in the Browser Fetch API, which allows large downloads to continue in the background via Service Workers. Rebane discovered that this mechanism can be abused to create persistent, never-terminating background tasks that maintain continuous communication with attacker-controlled infrastructure. In some cases particularly with Microsoft Edge the connection persists even after the browser is closed or the device is rebooted, effectively turning a victim’s browser into a limited botnet node with zero user interaction required.
Attack Mechanics & Risks
The exploit is triggered when a user visits a malicious or compromised webpage, which deploys a Service Worker to initiate an unending background fetch task. This enables remote JavaScript execution on the victim’s device without visible indicators. Rebane warned that attackers could easily scale this attack, potentially compromising tens of thousands of devices without users’ knowledge.
While browser sandboxing limits immediate damage, the vulnerability poses significant risks at scale, including:
- DDoS attacks – Compromised browsers can flood targets with traffic.
- Proxy networks – Attackers can route malicious or anonymized traffic through victim devices.
- Traffic redirection – Users can be silently redirected to attacker-controlled sites.
- Activity monitoring – Passive tracking of browsing behavior and network telemetry.
The long-term concern is that a pre-established botnet of compromised browsers could serve as a launchpad for future exploits once additional vulnerabilities are discovered.
Criticism & Current Status
Google’s decision to release the PoC before issuing a fix has drawn criticism from the security community. While Chromium developers acknowledged the flaw as a “serious vulnerability”, no complete patch has been deployed. With the exploit code now public, Rebane noted that exploitation is “pretty easy”, though scaling attacks would require additional infrastructure.
Affected Platforms & Mitigations
The vulnerability impacts:
- Google Chrome
- Microsoft Edge
- Brave Browser
- Opera
- Other Chromium-based browsers
Until an official patch is released, security teams are advised to:
- Restrict Service Worker usage via enterprise policies.
- Disable background fetch features where possible.
- Monitor for anomalous outbound browser connections.
- Implement browser isolation in high-risk environments.
With no patch in sight, the flaw presents an active, exploitable window for threat actors seeking large-scale browser-based botnet infrastructure.
Source: https://cyberpress.org/google-exploit-code-unfixed-chromium/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
Opera Colorado cybersecurity rating report: https://www.rankiteo.com/company/opera-colorado
Google cybersecurity rating report: https://www.rankiteo.com/company/google
Opera cybersecurity rating report: https://www.rankiteo.com/company/opera-software
"id": "MICOPEGOOOPE1779452712",
"linkid": "microsoft-security-response-center, opera-colorado, google, opera-software",
"type": "Vulnerability",
"date": "12/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Tens of thousands of devices '
'(potential scale)',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Chrome',
'size': 'Millions of users',
'type': 'Browser'},
{'customers_affected': 'Tens of thousands of devices '
'(potential scale)',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Edge',
'size': 'Millions of users',
'type': 'Browser'},
{'customers_affected': 'Tens of thousands of devices '
'(potential scale)',
'industry': 'Technology',
'location': 'Global',
'name': 'Brave Browser',
'size': 'Millions of users',
'type': 'Browser'},
{'customers_affected': 'Tens of thousands of devices '
'(potential scale)',
'industry': 'Technology',
'location': 'Global',
'name': 'Opera',
'size': 'Millions of users',
'type': 'Browser'}],
'attack_vector': 'Malicious or compromised webpage',
'customer_advisories': 'Users advised to monitor for anomalous browser '
'behavior and apply mitigations until patch is '
'released.',
'data_breach': {'data_exfiltration': 'Potential passive tracking of browsing '
'behavior and network telemetry'},
'date_detected': '2022',
'description': 'Google has published proof-of-concept (PoC) exploit code for '
'a critical, unpatched vulnerability in the Chromium codebase, '
'leaving users of Chrome, Microsoft Edge, Brave, Opera, and '
'other Chromium-based browsers vulnerable to stealthy '
'botnet-style attacks. The flaw allows persistent, '
'never-terminating background tasks that maintain continuous '
'communication with attacker-controlled infrastructure, '
'turning victim browsers into botnet nodes.',
'impact': {'brand_reputation_impact': 'Criticism of Google for releasing PoC '
'before patch',
'operational_impact': 'Potential large-scale botnet infrastructure '
'for future attacks',
'systems_affected': 'Chromium-based browsers (Chrome, Edge, Brave, '
'Opera, etc.)'},
'initial_access_broker': {'backdoors_established': 'Persistent Service '
'Worker-based background '
'tasks',
'entry_point': 'Malicious or compromised webpage'},
'investigation_status': 'Ongoing (no patch deployed)',
'lessons_learned': 'Unpatched vulnerabilities in widely used software can '
'create large-scale botnet risks; releasing PoC before '
'patches increases exploitation risk.',
'motivation': 'Potential for DDoS, proxy networks, traffic redirection, and '
'activity monitoring',
'post_incident_analysis': {'corrective_actions': 'Develop and deploy patch '
'for Chromium-based '
'browsers; review PoC '
'release policies',
'root_causes': 'Unpatched vulnerability in Browser '
'Fetch API via Service Workers; '
"Google's decision to release PoC "
'before patch'},
'recommendations': ['Restrict Service Worker usage via enterprise policies',
'Disable background fetch features where possible',
'Monitor for anomalous outbound browser connections',
'Implement browser isolation in high-risk environments',
'Apply patches immediately once available'],
'references': [{'source': 'Security researcher Lyra Rebane'},
{'source': 'Chromium internal framework (P1/S2 '
'classification)'}],
'response': {'containment_measures': ['Restrict Service Worker usage via '
'enterprise policies',
'Disable background fetch features '
'where possible',
'Monitor for anomalous outbound browser '
'connections',
'Implement browser isolation in '
'high-risk environments'],
'enhanced_monitoring': 'Monitor for anomalous outbound browser '
'connections'},
'title': 'Google Releases Exploit Code for Unpatched Chromium Vulnerability, '
'Exposing Millions to Botnet Risks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Browser Fetch API abuse via Service Workers (CVE '
'not specified)'}