Google publishes exploit code threatening millions of Chromium users

Posted by CircumspectCapybara@reddit | programming | View on Reddit | 9 comments

[-]

nightcracker@reddit

I think the real story is that this exploit was known but wasn't fixed for more than two years.

[-]

Randomboy89@reddit

I just found a bug; we're not going to report it for two years, but in the meantime we're going to use it to extract information.🤣

[-]

Gwaptiva@reddit

Someone else must have found out about it and is threatening to go public

[-]

twigboy@reddit

Nobody got time for bug fixes when there's AI money to funnel

[-]

ToffeeTangoONE@reddit

Two years is the part that really sticks out here. That is a massive window for something this serious.

[-]

This is the downside of shared browser infrastructure.....A PoC against Chromium does not only affect Chrome users. It potentially affects every downstream consumer that pulls Chromium code on a different cadence....The security reality is not “is there a patch upstream?” It is “how long until every downstream browser, Electron app, embedded runtime, and managed fleet actually ships it?” That lag is where exploit code becomes dangerous.

[-]

chumbaz@reddit

This seems innocuous but why bother releasing it early if the submitter wasn’t going to release it. It sounds like a lot of other things they submitted also took time to resolve?

[-]

cafk@reddit

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers.

Chromium made the discussion, proof of concept exploit & commits to fix it public, as they assumed it was fixed and then redacted the issue again.