A severe vulnerability disclosed in Chromium’s Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds.
Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash.
“It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed,” Pino said in a technical breakdown of the shortcoming.
At its core, Brash stems from the lack of rate limiting on “document.title” API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process.
The attack plays out in three steps –
- Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes per interval so as to maximize the impact of the attack
- Burst injection phase, where bursts of three consecutive document.title updates are executed, injecting approximately 24 million updates per second in default configuration (burst: 8000, interval: 1ms)
- UI thread saturation phase, where the continuous stream of updates saturates the browser’s main thread, causing it to go unresponsive and requiring forced termination
“A critical feature that amplifies Brash’s danger is its ability to be programmed to execute at specific moments,” Pino said. “An attacker can inject the code with a temporal trigger, remaining dormant until a predetermined exact time.”
“This kinetic timing capability transforms Brash from a disruption tool into a temporal precision weapon, where the attacker controls not only the ‘what’ and ‘where,’ but also the ‘when’ with millisecond accuracy.”
This also means that the attack can act like a logic bomb that’s configured to detonate at a specific time or after a certain amount of time has elapsed, all while evading initial inspection or detection. In a hypothetical attack scenario, all it would take is a click of a specially crafted URL to trigger the behavior, leading to unintended consequences.
The vulnerability works on Google Chrome and all web browsers that run on Chromium, which includes Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.
The Hacker News has reached out to Google for further comment on the findings and its plans for a fix, and we will update the story if we hear back.
