TL;DR
- A recently disclosed Chromium vulnerability could allow malicious websites to silently hijack browsers like Chrome and Edge without downloads, pop-ups, or user interaction.
- The exploit abuses Browser Fetch, a feature meant for background downloads to keep persistent connections alive, potentially turning browsers into lightweight botnets for proxying traffic or DDoS attacks.
- Security researcher Lyra Rebane reported the flaw to Google in 2022, but the issue reportedly remains unpatched nearly 29 months later despite being internally classified as a serious S1 vulnerability.
If you use Google Chrome, Microsoft Edge, or almost any browser built on Chromium, a newly revealed security flaw could put you at risk without you ever realizing it. There’s no malicious app to install, suspicious pop-up to click, or permissions to approve. In some cases, just opening a website could be enough to trigger it.
After reading a report (via Ars Technica), we learned that the issue was discovered by independent security researcher Lyra Rebane, who privately reported it to Google back in late 2022. Nearly two and a half years later, the vulnerability is reportedly still unpatched — and now proof-of-concept exploit code is publicly available.
​Â
