A serious and currently unpatched vulnerability in the Chromium Blink rendering engine poses a significant threat to users, potentially crashing numerous Chromium-based browsers within seconds. This flaw can lead to a denial-of-service condition, and in some scenarios, it can freeze the host operating system. The security researcher Jose Pino discovered this issue and developed a proof-of-concept exploit named Brash to illustrate the vulnerability that affects billions of users globally.
According to StatCounter, Chrome holds over 70% of the browser market share, not accounting for other open-source browsers built on Chromium, such as Microsoft Edge, OpenAI”s ChatGPT Atlas, Brave, and Vivaldi. Given that the International Telecommunication Union estimates there are 5.5 billion internet users, this indicates that Chrome alone is likely used by more than 3 billion people.
The exploit takes advantage of a fundamental architectural vulnerability in Blink. Pino tested the proof-of-concept on 11 major browsers across platforms including Android, macOS, Windows, and Linux, finding that it successfully caused crashes in nine of them within a period ranging from 15 to 60 seconds. The vulnerability affects Chromium versions 143.0.7483.0 and later.
Pino explained, “The attack vector originates from the complete absence of rate limiting on document.title API updates. This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse.”
Testing conducted by The Register on Edge demonstrated that not only did the browser crash, but it also caused the Windows machine to lock up after approximately 30 seconds, consuming 18 GB of RAM within a single tab. Pino reported that he first disclosed the issue to the Chromium security team on August 28 and followed up two days later but did not receive a response.
The implications of this flaw extend beyond mere browser crashes. Pino noted that each company utilizing Chromium has customized functionalities, suggesting that fixes would need to be tailored for each browser. He stated, “The problem is more serious than it seems…” The absence of throttling on document.title updates allows the Blink engine to exploit resource consumption limits.
The attack consists of three phases. Initially, the attacker loads 100 unique hexadecimal strings of 512 characters into memory. Pino emphasized the importance of using unique strings to enhance the attack”s effectiveness. The second phase involves executing bursts of three consecutive document.title updates, with Pino employing a default configuration that attempts around 24 million updates per second, leading to the browser crash. Finally, continuous updates overwhelm the browser”s main thread, consuming substantial computational resources and hindering event processing.
During an attack, tabs typically freeze within five to ten seconds, followed by an “unresponsive page” message between ten and fifteen seconds, culminating in a required force termination of the browser within 15 to 60 seconds. While this exploit does not lead to ransomware, it can disrupt users” systems and result in the loss of unsaved work. Any web page could potentially harbor the malicious JavaScript code, raising concerns that cybercriminals could implement it on targeted sites.
The Register reached out to the developers of the nine affected browsers, including Chrome, Edge, Vivaldi, Arc, Dia, Opera, Perplexity Comet, ChatGPT Atlas, and Brave, to inquire about their plans to address the vulnerability. Seven companies did not respond; however, Google indicated it is looking into the issue, and Brave stated that it does not have any custom behavior regarding document.title. A representative from Brave commented, “We will implement the fix when provided by Chromium.”
Pino also tested two browsers utilizing different rendering engines, Firefox (Gecko engine) and Safari (WebKit engine), both of which remained unaffected by the attack, as did all browsers operating on iOS, which also use WebKit. He ultimately decided to publish the proof-of-concept to raise awareness about this severe issue impacting a broad range of internet users, especially after his initial report received no timely response.
