A serious vulnerability disclosed in Chromium’s Blink rendering engine could cause many Chromium-based browsers to crash within seconds.
Security researcher Jose Pino, who detailed the flaw, gave it the code name cheeky.
“By exploiting an architectural flaw in how certain DOM operations are managed, any Chromium browser can collapse in 15 to 60 seconds,” Pino said of the technical details of the flaw.
The core of Brash is that there is no rate limit on “document.title” API updates. This results in millions of (Document Object Model) mutations per second, which not only crashes the web browser, but also reduces system performance by allocating CPU resources to this process.
The attack unfolds in three steps –
- Hash generation or preparation phase. To maximize the impact of the attack, the attacker preloads into memory 100 unique hex strings of 512 characters that serve as seeds for changing the title of the browser tab at each interval.
- Burst injection phase. A burst of three consecutive document.title updates is performed, injecting approximately 24 million updates per second with default settings (burst: 8000, interval: 1 ms).
- UI thread saturation phase. The continuous update stream saturates the browser’s main thread, causing the browser to become unresponsive and requiring a force close.
“A key feature that makes Brush more dangerous is that it can be programmed to run at specific moments,” Pino said. “An attacker can inject code with a temporary trigger and remain dormant until a precise, predetermined time.”
“This dynamic timing capability transforms Brash from a destructive tool to a time-precise weapon. Attackers control not only the ‘what’ and ‘where’ but also the ‘when’ with millisecond precision.”
This also means that this attack could act like a logic bomb configured to detonate at a specific time or after a certain amount of time, while avoiding initial inspection or detection. In a hypothetical attack scenario, simply clicking on a specially crafted URL would trigger an action and cause unintended consequences.
This vulnerability affects Google Chrome and all web browsers running on Chromium, including Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are based on WebKit and are therefore immune to the attack, as are all third-party browsers on iOS.
Hacker News has reached out to Google for further comment on its findings and plans for a fix. I will update the article if I receive a response.
