{"id":9246,"date":"2025-11-29T18:36:46","date_gmt":"2025-11-29T18:36:46","guid":{"rendered":"https:\/\/www.linkcentre.com\/news\/?p=9246"},"modified":"2025-11-29T19:13:11","modified_gmt":"2025-11-29T19:13:11","slug":"a-newly-found-browser-flaw-can-crash-sessions-in-seconds","status":"publish","type":"post","link":"https:\/\/www.linkcentre.com\/news\/a-newly-found-browser-flaw-can-crash-sessions-in-seconds\/","title":{"rendered":"A Newly Found Browser Flaw Can Crash Sessions in Seconds"},"content":{"rendered":"

A critical flaw has been uncovered in browsers built on the open-source Chromium platform - impacting popular options such as Google Chrome and Microsoft Edge. Security researcher Jose Pino<\/strong>, who revealed the issue this week, explained that the vulnerability \u201ccan cause any Chromium-based browser to crash within 15 to 60 seconds by exploiting a design weakness.\u201d<\/p>\n

The \u201cBrash\u201d Attack Explained<\/h3>\n

The flaw, which Pino has dubbed \u201cBrash,\u201d<\/strong> targets Blink<\/strong>, the rendering engine responsible for displaying web pages in Chromium browsers. By repeatedly sending requests to Blink through the \u201cdocument.title\u201d<\/strong> property of a web page, an attacker can overload the system.<\/p>\n

According to Pino\u2019s findings shared on GitHub, Blink processes every change to document.title<\/code> synchronously and without rate limiting<\/strong>, meaning it handles each update one by one on the main thread. This lack of restriction creates a performance bottleneck that can be abused. \u201cThe result is heavy CPU usage, sluggish performance, and the potential for the entire browser session to freeze or crash,\u201d Pino wrote.<\/p>\n

Demonstration and Impact<\/h3>\n

To illustrate the vulnerability, Pino developed a proof-of-concept website that triggers the attack. During tests, the page successfully crashed Chrome<\/strong> on both desktop and Android devices. Other Chromium-based browsers - including Brave, Opera, and ChatGPT\u2019s Atlas<\/strong> - were also affected. In contrast, browsers that don\u2019t use Chromium, such as Mozilla Firefox<\/strong> and Apple Safari<\/strong>, are not vulnerable.<\/p>\n

How It Works<\/h3>\n

Pino\u2019s proof of concept floods Blink\u2019s API with roughly 24 million updates per second<\/strong>, causing the browser to collapse under the load. While the exploit does not compromise user data or passwords, it can still disrupt browsing sessions and slow down the entire system.<\/p>\n

Response and Fix<\/h3>\n

When asked why a patch has not yet been issued, Pino told The Register<\/em> that he decided to publicly disclose the flaw<\/strong> after his initial private report two months earlier went unanswered. He hopes the exposure will prompt action to protect users. Google has since acknowledged the report and is reportedly investigating a fix - likely involving rate-limiting measures<\/strong> to prevent such overloads in the future.<\/p>\n

This incident serves as a reminder that even widely trusted open-source platforms can harbor vulnerabilities - and that timely collaboration between researchers and developers is crucial to keeping the web safe.<\/p>\n","protected":false},"excerpt":{"rendered":"

A critical flaw has been uncovered in browsers built on the open-source Chromium platform - impacting popular options such as Google Chrome and Microsoft Edge. Security researcher Jose Pino, who revealed the issue this week, explained that the vulnerability \u201ccan cause any Chromium-based browser to crash within 15 to 60 seconds by exploiting a design…<\/span><\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":9247,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[5],"tags":[620],"class_list":["post-9246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business","tag-browser"],"jetpack_publicize_connections":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/posts\/9246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/comments?post=9246"}],"version-history":[{"count":1,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/posts\/9246\/revisions"}],"predecessor-version":[{"id":9248,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/posts\/9246\/revisions\/9248"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/media\/9247"}],"wp:attachment":[{"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/media?parent=9246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/categories?post=9246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linkcentre.com\/news\/wp-json\/wp\/v2\/tags?post=9246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}