Google Leaks Details for Chromium Bug that Can Turn Browsers Into Bots

The vulnerability stems from the way Chromium implements the Service Worker and Background Fetch APIs, features introduced to improve offline capabilities and large file handling. By repeatedly creating and aborting background fetches every 20 seconds, an attacker can prevent the service worker from timing out, effectively granting the script perpetual execution even after the browser is closed. This technique sidesteps the UI safeguards that were added in early 2023, making the malicious activity invisible to end users across Chrome, Edge and other Chromium derivatives.

From a threat‑actor perspective, the persistent service worker becomes a powerful conduit for a range of illicit activities. It can silently download and run crypto‑mining scripts, exfiltrate browsing data such as IP addresses and User‑Agent strings, or launch coordinated distributed denial‑of‑service attacks by flooding target sites with requests from compromised browsers. Because the code runs in the browser’s trusted context, it can also serve as a launchpad for exploiting future zero‑day flaws or delivering WebAssembly payloads, dramatically expanding the attack surface of the web ecosystem.

The disclosure highlights a systemic issue: browser vendors rely on API specifications that lack hard limits on worker lifetimes. Fixing the problem will likely require changes to the underlying spec, imposing strict timeouts or abort conditions for background fetches. In the meantime, enterprises should tighten content security policies, monitor anomalous network traffic from browsers, and consider supplemental endpoint protection that can detect unusual background activity. The episode underscores the need for continuous security audits of open‑source components that power the majority of the internet’s user‑facing software.