# **”Ghost in the Browser: Google’s Accidental Leak Reveals Critical Chromium Flaw That Runs Code Even After You Close It”**
3 min read
Furthermore, Google has accidentally exposed details of an unfixed Chromium security flaw. Moreover, this vulnerability allows JavaScript to run in the background even after a user closes their browser. Consequently, an attacker could exploit this bug to run malicious code on a victim’s device without their knowledge.
Additionally, the flaw affects all Chromium-based browsers, including Chrome, Edge, and Brave. Importantly, a security researcher first reported this issue back in 2022, but it was never properly fixed. Therefore, the accidental leak now makes it significantly easier for attackers to exploit this bug against a large number of users.
Crucially, potential attacks could include launching DDoS attacks and silently redirecting traffic. Similarly, users would have no idea their browser is compromised. Hence, Google is expected to release emergency patches very soon to address this urgent risk.
| Date | Event / Action | Status / Outcome |
|---|---|---|
| December 2022 | Security researcher Lyra Rebane reports the vulnerability in Chromium’s Service Worker | Acknowledged as valid; bug remains unfixed for years |
| October 26, 2024 | Google developer flags the issue as a “serious vulnerability” requesting a status update | Still open; no patch developed yet |
| February 10–12, 2026 | Bug marked as fixed, then reopened; later closed again and a $1,000 bounty is awarded | Marked fixed in the system, but no actual patch was shipped |
| May 20, 2026 | All access restrictions removed after 14+ weeks; details become public; Rebane tests the fix | Details exposed; researcher finds exploit still works in Chrome Dev 150 and Edge 148 |
| Late May 2026 (present) | Issue made private again; Google urged to release emergency fix due to leaked details | Significant risk to users; exploit stealthier in latest Edge (no download pop-up) |
Chromium Flaw Details Leaked
In addition, a security researcher found a bug letting a malicious webpage run code on devices. Consequently, it affects all Chromium-based browsers for everyone. Similarly, the flaw can create a hidden botnet on a person’s device. Therefore, the recent data leak makes the exploit easier for attackers. Specifically, Google’s mistake now puts many people at risk until a fix is sent.
Unfixed Flaw Puts Millions at Risk
This indicates a serious and persistent risk in all Chromium-based browsers. Therefore, attackers can create silent botnets from users simply visiting a webpage. Moreover, the exploit is now stealthier, making it more dangerous than originally understood. Consequently, urgent fixes are needed to protect everyone using these browsers.
“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet’, and people won’t be aware that JavaScript can be remotely executed on their device.”
Ultimately, Google accidentally exposed an unfixed security risk in Chromium. In conclusion, this flaw lets JavaScript run after the browser closes. Looking ahead, attackers could use this for harmful activities. Therefore, all users of Chromium-based browsers are affected. Thus, urgent patches are needed. Hence, we must wait for a permanent fix. In summary, the leaked details increase the danger. To conclude, browser developers should act quickly. Finally, everyone should stay alert for updates.
Ultimately, the accidental exposure of details for an unfixed vulnerability poses a direct risk to everyone using Chromium browsers. Consequently, malicious actors may now find it easier to exploit this flaw, which allows harmful code to run silently in the background even after a browser is closed. Thus, this situation highlights a critical failure in handling sensitive security information.
Therefore, urgent and transparent action from developers is required to issue a proper fix. In summary, users deserve prompt protection, and this incident shows the need for better processes to safeguard everyone’s digital security. Accordingly, trust in these widely used browsers depends on swift and responsible resolution.
