Facepalm: The open-source Chromium project provides the foundation for Google Chrome and many other popular web browsers like Microsoft Edge, Opera, and Brave. When a serious security flaw is discovered in the shared codebase, it can quickly become a widespread threat affecting millions of devices across multiple computing platforms.
Google recently published – and then quickly hid – a potentially dangerous bug found in the Chromium web browser. The security vulnerability was originally discovered in 2022 and still needs to be fixed in Chromium's codebase. According to researcher Lyra Rebane, who first identified the bug four years ago, Google eventually "opened" the bug report without properly vetting what the issue could mean for the web's overall security.
Rebane explained that the bug involves Chromium's Background Fetch API, which can trigger a persistent Service Worker after a user visits a "malicious" web page. Google describes Service Workers as specialized JavaScript components that act as intermediaries between web browsers and servers, providing improved reliability through offline functionality and faster page performance.
Rebane's bug, along with the proof-of-concept code, created a Service Worker that continued running even after a device or browser restart. While not inherently dangerous on its own, the Service Worker could potentially be abused to track user activity online through timestamps, IP address logs, and other telemetry data. In more severe scenarios, it could execute remotely stored payloads, participate in denial-of-service attacks against specific targets, and even be incorporated into a distributed botnet with limited malicious capabilities.
Rebane said that the code Google inadvertently disclosed could make exploiting the vulnerability relatively straightforward. However, turning the flaw into a botnet-like infection would still require additional effort and sufficient technical expertise.
After being privately informed in 2022, Mountain View classified the bug as "P1" – the second-highest priority level – with an "S2" severity rating.
Google reportedly took no action on Rebane's report for 46 months before unexpectedly publishing the bug details publicly. Chrome developers later moved quickly to close the report again, but the page had already been archived and remains accessible online, along with Rebane's PoC code.
The researcher initially believed the bug had been made public because Google had finally fixed it. However, she later realized that the proof-of-concept was still functional and that no actual fix had been implemented.
Creating a Service Worker would trigger a download dialog in Google Chrome, while Microsoft Edge would effectively execute the same behavior without notifying the user. Mozilla Firefox and Apple Safari do not support the Fetch API, which means they are likely not affected by this specific issue.