A security researcher says Google’s accidental exposure of details about an unfixed Chromium flaw made it far easier to build a “permanent JS botnet” using Service Workers—code that can keep running after the browser is closed. The issue affected all major Chr
The moment the exploit stopped feeling theoretical, it became urgent.
Security researcher Lyra Rebane had reported a Chromium issue that could keep JavaScript running in the background even after a Chromium-based browser is closed—something she says can be abused for remote code execution on a visitor’s device. The problem. she said. hinges on a Service Worker that can be used to create a malicious webpage that never terminates. such as by staging a download task designed to keep going indefinitely.
Rebane’s warning wasn’t abstract. In the original bug report, she wrote that it’s “realistic to get tens of thousands of pageviews for creating a ‘botnet’, and people won’t be aware that JavaScript can be remotely executed on their device.”
The Chromium Issue Tracker thread shows the issue was reported by Rebane and acknowledged as valid in December 2022. In that time. the risk profile grew clearer: an attacker could exploit the bug to create botnet-like behavior. including scenarios such as using compromised browsers to launch distributed denial-of-service (DDoS) attacks. proxying malicious traffic. and arbitrarily redirecting traffic to target sites.
That threat doesn’t stay inside one product. The flaw impacts all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
Even with that broad reach, the fix and the timeline didn’t settle cleanly. On October 26, 2024, a Google developer noticed the issue was still open and described it as a “serious vulnerability” that needed a status update “to ensure that there’s progress.”
This year, on February 10, the issue was marked as fixed—then reopened just minutes later after concerns were raised. Because it was considered a security issue. the bug’s labels were updated so it could move through the Chrome Vulnerability Rewards Program (VRP) Panel. The issue was marked as fixed again on February 12, though the patch had not been shipped.
Rebane was notified by an automated email that she had been awarded a bug bounty of $1,000.
By May 20, access restrictions on the Chromium Issue Tracker were removed after the bug had been closed for more than 14 weeks and marked as fixed in the system.
But Rebane didn’t accept “marked fixed” as the end of the story. She tested the fix and found the problem was still present in Chrome Dev 150 and Edge 148.
“Back in 2022. I found a bug that would let me. with no user interaction. turn any Chromium-based browser into a permanent JS botnet member. ” Rebane said in a post yesterday. She added that in Edge. “you wouldn’t even notice anything out of place. and would stay connected to the C2 even after closing the browser.”.
After noticing the exploit still worked, Rebane concluded that Google had likely published the details by mistake. In her account, the download pop-up that had appeared earlier when triggering the exploit no longer comes up in the latest Edge—making the behavior more difficult to spot.
“OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS,” Rebane posted on Mastodon. “Even worse. Edge no longer even makes the download menu pop up. so it’s completely silent JS RCE that keeps running even after you close the browser !!. all from just visiting a single website once !!”.
She said the issue was made private again, but the exposure lasted long enough for the information to leak.
Rebane told Ars Technica that Google’s exposure would make exploitation “pretty easy. ” though she also said scaling it into a large botnet is more complicated. She clarified that the bug does not bypass browser security boundaries and doesn’t give attackers access to a victim’s emails. files. or the host operating system.
Still, the combination of a Chromium-wide weakness and leaked details changes the urgency. With risk to a large number of users, Google is expected to treat the situation as high priority, and emergency fixes are likely.
BleepingComputer reached out to Google for comment on the exposure, but had not received a response by publication.
Chromium Google Chrome Microsoft Edge security researcher Lyra Rebane Service Worker JavaScript remote code execution botnet DDoS Chrome Vulnerability Rewards Program bug bounty Chromium Issue Tracker
So wait Google “accidentally exposed” a botnet thing but they’re just gonna fix it later? Sounds like typical tech company stuff.
I don’t even know what a Service Worker is, but if it can run after you close the browser… that’s creepy as hell. Are we supposed to just trust all the big browsers now?
People keep saying “botnet” like it’s some sci-fi thing but I’ve seen DDoS targets before, so this seems connected. Also, if the fix got reopened then what does that even mean, like they fixed it but then broke it again? Idk. Wouldn’t antivirus catch the JS?
This is why I only use Safari, because Chromium bugs always spread to everything. Like Chrome, Edge, Brave, all of them, same problem. If JavaScript can “remotely execute” then that’s basically hacking without even clicking a link right? I’m tired.