Millions of Chrome and Edge Users Exposed To Alarming Exploit by Google Security Blunder
This Chromium exploit utilizes malicious JavaScript code and a gap within Chromium's Fetch UI that allows remote monitoring and control of the user's browser and lays the groundwork for further exploitation, should a compatible vulnerability appear. Infected devices can then be utilized as a botnet, allowing average victims' devices and browsers to be used for purposes such as DDoS attacks or routing illegal web traffic.

Per Ars Technica's interview with Lyra Rebane, the researcher who discovered the exploit, using the exploit code published by Google would be "pretty easy" even though additional work is required to scale it for botnet purposes. Fortunately, this also means that attacks most likely aren't yet in the wild. However, since the vulnerability was discovered 46 months ago, and Google has yet to confirm a timeline for a fix, the outlook is deeply concerning. Rebane attests the unconventional nature of the attack to the long time it's taken to fix, but also doubts that it's being used against browsers beyond Chrome and Edge. It is particularly concerning for Edge users, though, since the telltale phantom Download popup does not appear, whereas it's more consistently shown on Chrome.
While Google has shown a remarkable long-term commitment to juicing up Chrome's security and features, major exploits like these and the regular cycle of malicious Web Store extension reveals do raise some concerns. While it is nice that this particular Chromium Fetch UI exploit was kept under the radar so long, the fact that it's taken over three and a half (soon four) years to fix is deeply concerning. There's also no guarantee that attackers weren't already aware of the exploit before Google inadvertently publicized it. We'd advise any existing Chrome, Edge, or Chromium-based browser users who have ever noticed odd behavior from the Download button perform a full wipe and reinstall of their browsers immediately.