Loading...
Loading...
Researchers warn that publicly available proof-of-concept code exposes a 29-month-old Chromium Browser Fetch API flaw that can create persistent service-worker connections, letting attackers monitor activity, proxy traffic, or assemble limited botnets. The vulnerability, reported privately to Google in late 2022 and rated high severity, remained unpatched before an accidental public posting; Google removed the post but archived copies remain accessible. The disclosure heightens risk for Chrome, Edge and other Chromium-based browsers, while emerging stealth Chromium builds and Playwright-compatible forks aiming to evade bot detection highlight growing tensions between automation tools and platform security, increasing stakes for timely patches and mitigations.
Public exploit code for a long‑standing Chromium Fetch API flaw raises immediate risks for developers and security teams who rely on Chromium-based browsers and automation tools. Timely mitigations and patching are critical to prevent attackers from leveraging persistent service-worker connections for surveillance, traffic proxying, or limited botnets.
Dossier last updated: 2026-05-21 02:56:16
Google mistakenly published proof-of-concept exploit code for a 29-month-old, still-unfixed vulnerability in the Chromium codebase that affects Chrome, Edge and most Chromium-based browsers. The exploit abuses the Browser Fetch API and a service worker to create persistent background connections that let attackers proxy traffic, monitor browsing, and mount proxied DDoS attacks; connections may persist across reboots in some browsers. Researcher Lyra Rebane privately reported the bug in late 2022 and rated it high severity; Chromium developers labeled it S1. Google briefly posted the details to the public bug tracker before removing them, but the code is archived and poses a risk until a patch is issued. This raises concerns about disclosure processes and remediation delays for browser security.
feder-cr/invisible_playwright: Stealth Firefox that passes every bot detection test. Drop-in Playwright replacement.
Google published public proof-of-concept exploit code for a high-severity Chromium vulnerability tied to the browser engine, which researchers warn could put millions of Chromium-based users at risk. The disclosure followed internal remediation steps and coordination with downstream vendors, but the released code makes it easier for attackers to weaponize the bug against Chromium forks like Microsoft Edge and Brave. This matters because many browsers and apps rely on the Chromium engine, so a working exploit can broaden impact beyond Chrome, accelerating exploit attempts until vendors ship patches. Developers, security teams and users should prioritize updates and mitigations from browser vendors and monitor advisories.
Google accidentally published proof-of-concept exploit code for an unfixed 29-month-old Chromium vulnerability in the Browser Fetch API, exposing users of Chrome, Edge and other Chromium-based browsers to stealthy persistent connections. Discovered and privately reported by researcher Lyra Rebane in late 2022 and rated S1 (second-highest), the flaw lets any visited website spin up a service worker that remains active to proxy traffic, monitor activity, and enable proxied DDoS attacks; connections can persist across launches and sometimes device reboots. Google briefly posted the exploit to the Chromium tracker, then removed it, but archival copies and the code remain available while no patch has been released. The exposure raises concerns about long triage delays and large-scale abuse potential if the bug is weaponized.
Google accidentally published proof-of-concept exploit code for a 29-month-unfixed Chromium vulnerability in the Browser Fetch API that can be triggered by any website and create persistent service-worker connections. The exploit lets attackers monitor browser activity, proxy traffic, and mobilize browsers into limited botnets for anonymous browsing or DDoS proxying; connections may persist across reboots depending on the browser. Independent researcher Lyra Rebane privately reported the issue to Google in late 2022; Chromium developers rated it S1 (second-highest) but it remained unpatched. Google removed the public post but the exploit code is archived and remains accessible, raising urgent security concerns for Chrome, Edge, and other Chromium-based browsers.
Stealth Chromium that passes every bot detection test. Drop-in Playwright replacement with source-level fingerprint patches. 30/30 tests passed. Language: Python Stars: 10 Forks: 2 Contributors: Cloak-HQ