A serious vulnerability disclosed in Chromium’s Blink rendering engine could cause many Chromium-based browsers to crash within seconds.
Security researcher Jose Pino, who detailed the flaw, code-named it “Brash.”
“By exploiting an architectural flaw in how certain DOM operations are managed, any Chromium browser can collapse in 15 to 60 seconds,” Pino said of the technical details of the flaw.
The core of Brash lies in the lack of rate limiting on updates to the “document.title” API, resulting in millions of possible attacks. [document object model] Mutations per second not only crashes the web browser but also reduces system performance as CPU resources are allocated to this process.
The attack unfolds in three steps –
Hash generation or preparation phase. To maximize the impact of the attack, the attacker preloads into memory 100 unique hex strings of 512 characters that act as seeds for browser tab title changes at each interval. Burst injection phase. A burst of 3 consecutive document.title updates is performed, injecting approximately 24 million updates per second with default settings (burst: 8000, interval: 1 ms). UI thread saturation phase. Many updates saturate the browser’s main thread, causing the browser to become unresponsive and requiring a force close.
“A key feature that makes Brush more dangerous is that it can be programmed to run at specific moments,” Pino said. “An attacker can inject code with a temporary trigger and remain dormant until a precise, predetermined time.”
“This dynamic timing capability transforms Brash from a destructive tool to a time-precise weapon. Attackers control not only the ‘what’ and ‘where’ but also the ‘when’ with millisecond precision.”
This also means that this attack could act like a logic bomb configured to detonate at a specific time or after a certain amount of time, while avoiding initial inspection or detection. In a hypothetical attack scenario, simply clicking on a specially crafted URL would trigger an action and cause unintended consequences.
This vulnerability affects Google Chrome and all web browsers running on Chromium, including Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are based on WebKit and are therefore immune to the attack, as are all third-party browsers on iOS.
Hacker News has reached out to Google for further comment on its findings and plans for a fix. I will update the article if I receive a response.
Source link
