On Wednesday, Google unveiled exploit code for a persistent vulnerability in its open-source Chromium browser, putting millions of users at risk. The flaw exploits the Browser Fetch protocol to secretly monitor and potentially hijack web browsing sessions across Chrome, Edge, and other Chromium-based browsers.

The proof-of-concept code allows attackers to maintain connections that persist even after a browser or device restarts. This can turn any affected machine into part of a botnet capable of launching DDoS attacks or monitoring user activity. The vulnerability has been unfixed for 29 months, remaining unknown except to Chromium developers until Google’s premature disclosure.

Lyra Rebane, the independent researcher who discovered the flaw in late 2022 and reported it privately to Google, described the situation as concerning. While she noted that scaling the exploit to affect large numbers of devices would be more complex, two Chromium developers confirmed its severity with a rating of S1.

Despite Google’s removal of the post, the exploit code remains accessible on archival sites, raising serious concerns about digital security and the potential for widespread exploitation by cybercriminals or state actors. The incident highlights the ongoing challenges in managing vulnerabilities in open-source projects while maintaining user trust and safety.