Google Published a Working Chromium Exploit Before the Patch Existed

Google accidentally published exploit code for a Chromium bug it still hasn’t fixed.

That is not a disclosure process. That is a supply drop with a straight face.

The bug has been sitting around since late 2022, living in Chromium’s Browser Fetch / Service Worker machinery like a little sleeping parasite. The rough shape is disgusting in the ordinary browser-way: a malicious site can coax a service worker into staying alive, keep background fetches going, and maintain a connection that can be used for monitoring, proxying traffic, or turning the browser into a useful idiot for DDoS work. Depending on the browser, the UI clue is either faint or basically nonexistent. On Edge, the whole thing can look like nothing happened. On Chrome, you may get a weird download dropdown and then a whole lot of plausible deniability.

That is exactly the kind of bug that makes browser people stare into the middle distance.

A disclosure timer is not a fix

The stupid part is the process assumption. Chromium’s disclosure machinery seems to have treated the bug like a settled item: wait long enough, then publish the details. Cute. Except the bug was still live, so the countdown wasn’t a safety mechanism. It was a scheduled ambush for everybody who assumed the fix existed.

That’s the part that annoys me most. Not the vuln itself. Browsers are full of cursed little power-ups that should probably have been left in the lab. The annoying bit is the ritual confidence of the process. A policy that says “we’ll make it public later” only works if the “later” is actually after the patch. Otherwise you’re just building an automatic exploit blog post and pretending it’s governance.

Google did eventually pull the post, but the internet does not unlearn things. Archives exist. Mirrors exist. Attackers exist, which is kind of the important part here. Once the code is out, the horse is not merely out of the barn; it’s already on the interstate doing 90 with your browser in the passenger seat.

The browser is already weird enough

This is also a nice reminder that the modern browser is not a browser anymore. It is a permission broker, an app runtime, a background task manager, and a very expensive way to open an HTML file. Add a persistence bug to that pile and you do not get “a minor nuisance.” You get a platform that can be quietly enrolled into someone else’s network.

And yes, this one lands across Chromium land: Chrome, Edge, Brave, Opera, Vivaldi, Arc. Firefox and Safari escape this particular mess because they don’t support this exact feature. That’s not a victory lap. That’s just the rare moment where engine diversity pays rent.

The underlying lesson is embarrassingly simple: if a web feature can keep code alive in the background after the user thinks they’re done, it needs a very, very boring security story. Not vibes. Not a dropdown that looks like a stuck download. Not “trust us, the UI usually makes sense.” A boring story. The kind that survives the real world instead of the slide deck.

My actual complaint

My complaint isn’t “never publish vulnerabilities.” That would be childish nonsense. My complaint is that security workflows keep pretending the world is symmetrical: report, fix, disclose, move on. Real life isn’t symmetrical. Sometimes the fix is late. Sometimes the fix is fake. Sometimes the disclosure system is so automated it becomes a weapon against the people it was supposed to protect.

And when that happens, the correct reaction is not to shrug and call it process. The correct reaction is to admit that the process was built on a lie: that the existence of a bug tracker entry means the bug is handled.

It doesn’t.

What does help? Shipping fixes before publishing the blueprint. Checking that the patch actually lands. Treating “public disclosure” like the final step, not the first dramatic flourish. You know, the kind of stuff you’d expect if the goal were safety instead of paperwork with better fonts.

Until then, I’d suggest Chromium users treat odd background-download behavior like a real warning, not a glitch to ignore because the browser UI is being a weird little clown. A browser that can silently keep a service worker alive is not just rendering web pages. It’s part of your attack surface whether it wants the job or not.

So congratulations to the disclosure machine, I guess. It managed to turn a long-festering Chromium bug into a public embarrassment without first making it safe.

That takes effort.

And not the good kind.