Rebane1d ago

back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member

in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser

today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121

Show threadRebane1d ago
OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS 💀💀
Drahflow1d ago
Show threadRebane

even worse, edge no longer even makes the download menu pop up, so it's completely silent js rce that keeps running even after you close the browser !!

all from just visiting a single website once !!

May 20 at 12:25pmWeb
Show threadRebane1d ago
issue set to private again, hopefully it'll get fixed properly this time :p
Show threadAlesandro Ortiz 🇵🇷🏳️‍🌈1d ago
@rebane2001 Nice find! I should have woken up earlier to see the details. 😅
Show threadRatsnake1d ago
@rebane2001 fucking embarrassing
Show threadSamantaz Fox1d ago
@rebane2001 Well, too late, it has already been archived :x
Show threadRebane1d ago

@SamantazFox out of curiosity, where? the archive.org captures don't load for me

edit: ty :)

Show threadLenni  🖖1d ago
@rebane2001 @SamantazFox It's on archive.today/.is/.ph. Only go there with a content blocker, you're DDoSing a small blog otherwise: https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-against-my-blog/
archive.today is directing a DDOS attack against my blog

Around January 11, 2026, archive.today (aka archive.is, archive.md, etc) started using its users as proxies to conduct a distributed denial of service (DDOS) attack against Gyrovague, my personal b…

Gyrovague
Show threadmilagemayvary1d ago

@Lenni @rebane2001 @SamantazFox

Archive.today is rolling out Google's QR reCaptcha as well paired with altering snapshots, seems like potential vector for a bad time.

https://mstdn.social/@milagemayvary/116601485354673260

Show threadRiver, Cachorrín de Los Andes1d ago

@milagemayvary @Lenni @rebane2001 @SamantazFox

archive.org has already scrubbed archives of incriminating words by sex offenders like Andrew Tate, Vitalik Butterin, and a DOGE staffer, so really, who can I wing for?

Show threadmilagemayvary1d ago

@PuppyFromLosAndes @Lenni @rebane2001 @SamantazFox

I assume we're speaking of Kiwi Farms?

Is it scrubbed from archive.org, or is it present for research purposes?

I would assume they have kept the data, I think they would respond to a subpoena with the snapshot.

After about 10 minutes of searching, I'm not entirely sure if archive.today has been used as admissable evidence in a court room let alone successfully.

IANAL, I feel like this is a legal quagmire & legally safer to exclude?

Show threadftg1d ago
@Lenni @rebane2001 @SamantazFox
I do genuinely wonder why the blog's author is so interested in doxing the archive.is's operator?
The response of getting DDoS:ed by the operator does also make it look like they hit close.
Show threadShravan Ravi Narayan1d ago
@rebane2001 really cool work. Didn't realize this sort of bug class even existed. Hope they up the bounty; this seems worth more than $1000
Show threadViss1d ago
@rebane2001 could you test vivaldi? :D
Show threadSean1d ago

@Viss @rebane2001 it's mentioned in an Ars Technica article that Vivaldi is also vulnerable.

>Other browsers Rebans confirmed as vulnerable include Brave, Opera, Vivaldi, and Arc.

Show threadViss1d ago
@seanm @rebane2001 spectacular
Show threadAnton 🇺🇦🇪🇺1d ago
@rebane2001 I guess it's a good thing I asked 😂
Show threadKotsune1d ago
@rebane2001 So much for Edge having “the added trust of Microsoft”.
Show threadHenry1d ago
@rebane2001 Is this what they call a 1259 day?
Show threadEd1d ago
@henry_null @rebane2001 Cue Microsoft issuing a press release accusing Rebane of "violating coordinated vulnerability best practices." They've barely had time to react, after all...
Show threadHenry1d ago
@EdCates @rebane2001 I mean its them who made it public first I guess🤷 https://issues.chromium.org/issues/40062121#comment56
Chromium

Show threadcR0w1d ago
@rebane2001 I've got a dumb question: Is this something that can be mitigated with a uBlock filter? It reads like it could be but I don't know this stuff well.
Show threadRebane1d ago
@cR0w no
Show threadGrande gnome Gertrude1d ago
@rebane2001 @cR0w And with Noscript ?
Show threadRebane1d ago
@Strabisme @cR0w yes, provided you disable js or service workers on the page
Show threadAlexander Bochmann1d ago

@rebane2001 @cR0w Didn't try, but in theory, full (Manifest v2) uBO should be able to inject a CSP policy that sets worker-src 'none';

https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#csp

Probably something like
||$csp=worker-src 'none'
to disable service workers everywhere?

Show threadAlexander Bochmann1d ago

@rebane2001 @cR0w (I assume using it like that might break extensions that use service workers? Can an extension inject CSP headers into a different extension? No idea.)

Anyways, turns out someone wrote up exactly that at some point: https://bonina.eu/web/disable-service-workers-chromium-browsers/

How to disable Service Workers on Chromium based browsers through uBlock · bonina.eu

Service Workers may pose risks, with the next steps we can effectively disable them.

Show threadTagHunt1d ago
@rebane2001 well that's not good...
Show threadSkyr1d ago
@rebane2001 BeEF module ftw! 🎉
Show threadEldeberen1d ago
@rebane2001 Service Workers working as intended… :|
Show threadchebra1d ago
@rebane2001 So they have fixed the bug. The one with the download menu popping up during eval.
Show threadViss1d ago
@rebane2001 fucking spectacular.
Show threadRoboMWM13h ago
@rebane2001 if you disable running in background in edge does it still run if closed?