Your browser could already be part of a botnet thanks to this dangerous Chrome flaw
Source: Android Authority
TL;DR
- A recently disclosed Chromium vulnerability could allow malicious websites to silently hijack browsers like Chrome and Edge without downloads, pop‑ups, or user interaction.
- The exploit abuses Browser Fetch, a feature meant for background downloads, potentially turning browsers into lightweight botnets for proxying traffic or DDoS attacks.
- Security researcher Lyra Rebane reported the flaw to Google in 2022, but the issue remains unpatched nearly 29 months later despite being internally classified as a serious S1 vulnerability.
If you use Google Chrome, Microsoft Edge, or almost any browser built on Chromium, a newly revealed security flaw could put you at risk without you ever realizing it. There’s no malicious app to install, suspicious pop‑up to click, or permissions to approve. In some cases, just opening a website could be enough to trigger it.
Discovery and Reporting
The issue was discovered by independent security researcher Lyra Rebane (infosec.exchange/@rebane2001), who privately reported it to Google in late 2022. Nearly two and a half years later, the vulnerability is still unpatched, and proof‑of‑concept exploit code is now publicly available.
“Google engineers initially acknowledged the report as a ‘serious vulnerability’ and internally classified it as S1, the company’s second‑highest severity rating.” – Rebane
How the Exploit Works
At the core of the problem is Browser Fetch, a web standard that lets browsers continue downloading large files or videos in the background, even after a tab is closed. Rebane’s research shows that attackers can abuse this mechanism to create long‑lasting background connections between the victim’s browser and a remote server. This enables a malicious site to:
- Turn the browser into an anonymous proxy.
- Relay malicious traffic.
- Participate in distributed denial‑of‑service (DDoS) attacks.
- Expose limited details about the user’s browsing activity.
The connection can persist even after the browser or the entire computer restarts, making detection extremely difficult. Unlike traditional malware, the entire operation occurs inside the browser process.
Impact on Users
- Stealthy operation: Users may notice no visible symptoms.
- Potential persistence: On some Chromium browsers, the malicious connection survives restarts.
- Limited user control: No straightforward way for an average user to detect or stop the activity.
Detection
Detecting infection is vague:
- Microsoft Edge: May briefly show a downloads‑related pop‑up without an actual file.
- Google Chrome: Can display a similar transient warning that often disappears after the first occurrence.
Most users would likely dismiss these as normal browser hiccups.
Current Status and Mitigation
- No public fix: Google has not released a patch nor provided a timeline for remediation.
- User guidance: Until a fix is available, the safest approach is to avoid sketchy websites and be cautious with unknown links.
Images
