Google accidentally published a four-year-old Chromium security bug, then tried to hide it again

FACEPALM: The open-source Chromium project provides the foundation for Google Chrome and many other popular web browsers like Microsoft Edge, Opera, and Brave. When a serious security flaw is discovered in the shared codebase, it can quickly become a widespread threat affecting millions of devices across multiple computing platforms.

Google recently published – and then quickly hid – a potentially dangerous bug found in the Chromium web browser. The security vulnerability was originally discovered in 2022 and still needs to be fixed in Chromium's codebase. According to researcher Lyra Rebane, who first identified the bug four years ago, Google eventually "opened" the bug report without properly vetting what the issue could mean for the web's overall security.

Rebane explained that the bug involves Chromium's Background Fetch API, which can trigger a persistent Service Worker after a user visits a "malicious" web page. Google describes Service Workers as specialized JavaScript components that act as intermediaries between web browsers and servers, providing improved reliability through offline functionality and faster page performance.

Rebane's bug, along with the proof-of-concept code, created a Service Worker that continued running even after a device or browser restart. While not inherently dangerous on its own, the Service Worker could potentially be abused to track user activity online through timestamps, IP address logs, and other telemetry data. In more severe scenarios, it could execute remotely stored payloads, participate in denial-of-service attacks against specific targets, and even be incorporated into a distributed botnet with limited malicious capabilities.