Google Publishes Exploit Code Threatening Millions of Chromium Users

The Chromium engine powers more than 70 % of global web traffic through browsers such as Chrome, Edge, Brave and Opera. A vulnerability in its Browser Fetch API, first reported to Google in late 2022, has now lingered for 42 months without a patch. Instead of quietly fixing the flaw, Google inadvertently uploaded a proof‑of‑concept exploit to its public bug tracker, where it was quickly archived and remains accessible. This misstep exposes the challenges of maintaining a massive open‑source codebase where security triage can span years.

The exploit abuses the background fetch feature to spawn a service worker that survives browser restarts and even device reboots. Once active, the worker can open silent connections, relay traffic for anonymous proxying, monitor browsing habits, or amplify denial‑of‑service attacks. Because the code runs in any site the user visits, a single compromised page can enlist thousands of browsers into a low‑level botnet. While Chrome’s fetch usage averages only about 17 completed files per user per day, the same API is enabled in Edge, Brave, Vivaldi and Arc, widening the attack surface.

The incident reignites debate over responsible disclosure and the timing of public releases. Publishing PoC code before a fix gives attackers a ready‑made weapon, while delayed patches leave users exposed for years. Companies that rely on Chromium must now audit their use of background fetch and consider disabling it until Google issues an update. For the broader security community, the episode underscores the need for clearer internal escalation paths and faster remediation cycles within large open‑source projects. Until the flaw is patched, vigilance around unexpected download dialogs remains essential.