Brash
Chromium Browser DoS Attack via document.title Exploitation
Brash is a critical vulnerability in Blink, the rendering engine that powers Google's Chromium-based browsers. It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.
The attack vector originates from the complete absence of rate limiting on document.title API updates. This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse. The impact is significant, it consumes high CPU resources, degrades overall system performance, and can halt or slow down other processes running simultaneously. By affecting Chromium browsers on desktop, Android, and embedded environments, this vulnerability exposes over 3 billion people on the internet to system-level denial of service.
STATUS: Operational
AFFECTED VERSIONS: Chromium ≤ 143.0.7483.0 (tested: 138.0.7204.251, 141.0.7390.108, 143.0.7483.0)
Note The exploit is currently operational. Once the vulnerability is patched, this code will cease to work. Regardless, discovering this architectural flaw and completing the entire research, documentation, and design process to share something impactful with the world has been an incredibly rewarding journey.
Testing
11 major browsers were tested on macOS, Windows, and Linux to validate the vulnerability's impact.
Vulnerable (Chromium/Blink)
... continue reading