Your browser could already be part of a botnet thanks to this dangerous Chrome flaw

If you use Google Chrome, Microsoft Edge, or almost any browser built on Chromium, a newly revealed security flaw could put you at risk without you ever realizing it. There’s no malicious app to install, suspicious pop-up to click, or permissions to approve. In some cases, just opening a website could be enough to trigger it.

After reading a report (via Ars Technica), we learned that the issue was discovered by independent security researcher Lyra Rebane, who privately reported it to Google back in late 2022. Nearly two and a half years later, the vulnerability is reportedly still unpatched — and now proof-of-concept exploit code is publicly available.

At the center of the problem is Browser Fetch, a web standard designed for convenience at any cost. It allows browsers to continue downloading large files or videos in the background, even if you close a tab. But according to Rebane’s findings, attackers can abuse that same system to create long-lasting background connections between your browser and a remote server. This means a malicious website could quietly turn your browser into a tiny piece of someone else’s cyberattack infrastructure.

Imagine opening what looks like a completely normal website — maybe a recipe page, a Reddit link, or a random search result. Behind the scenes, that site could establish a persistent connection that keeps running long after you leave the page. Your browser could then be used as an anonymous proxy, help relay malicious traffic, participate in distributed denial-of-service (DDoS) attacks, or even expose limited details about your browsing activity.

What makes this particularly uncomfortable is how invisible it can be. On some Chromium browsers, the connection may survive even after the browser or the entire computer restarts. An average person would have almost no way of realizing that anything unusual happened. And yes, that’s the scary part: this doesn’t behave like traditional malware. Everything happens inside the browser itself.

According to Rebane, Google engineers initially acknowledged the report as a “serious vulnerability” and internally classified it as S1, which is the company’s second-highest severity rating. Yet despite that classification, the bug appears to have lingered in Chromium’s bug tracker for roughly 29 months without a fix reaching users.

Rebane, who has previously reported Chrome security issues, says slow responses are unfortunately common. But even by browser-security standards, a delay this long is difficult to ignore. Her theory is that the vulnerability fell into an awkward gray area: dangerous enough to matter, but not catastrophic enough to trigger immediate action because it doesn’t directly expose files, passwords, or emails.

Still, the broader implications are hard to brush aside. A vulnerability that can silently conscript browsers into a lightweight botnet is not exactly minor — especially when Chromium powers not just Chrome and Edge, but a huge chunk of the modern web browser ecosystem.

Detecting whether you’ve been affected is also frustratingly vague. Rebane notes that Microsoft Edge may briefly show a downloads-related pop-up without any actual file appearing. Chrome can behave similarly, though even that warning may disappear after the first time. Most people would probably dismiss it as a browser hiccup and move on.

Right now, there’s no publicly confirmed fix, and Google hasn’t clarified when a patch might arrive. That leaves users in an awkward position: knowing a serious browser exploit exists while having very little they can realistically do about it. For now, the safest approach is to avoid sketchy websites and be careful with unknown links.