Security researcher Jofpin has disclosed “Brash,” a critical flaw in Google’s Blink rendering engine that enables attackers to crash Chromium-based browsers almost instantly.
Affecting billions of users worldwide, this architectural weakness exploits unchecked updates to the document.title API, overwhelming the browser’s main thread and triggering system-wide denial of service without sophisticated tools or privileges.
The vulnerability stems from Blink’s lack of rate limiting on title changes, allowing malicious JavaScript to flood the DOM with millions of mutations per second.
As detailed in Jofpin’s proof-of-concept on GitHub, the attack unfolds in three phases: pre-generating high-entropy strings to avoid CPU overhead, injecting bursts of up to 24 million updates, and saturating the UI thread until collapse.
Browsers freeze within 15 to 60 seconds, spiking CPU usage to extremes that degrade overall system performance and halt concurrent processes.
Tested versions up to Chromium 143.0.7483.0 remain vulnerable, including Chrome, Edge, Opera, Brave, and Vivaldi on desktop, Android, and embedded devices.
Widespread Impact On Chromium Ecosystem
Brash’s reach is staggering, potentially exposing over 3 billion internet users to disruption since Chromium powers the majority of browsers.
On macOS, Windows, and Linux, Chrome crashes in 15-30 seconds under extreme settings, while slower variants like Brave take up to two minutes.
| Browser | Crash Time |
|---|---|
| Chrome | 15-30 seconds |
| Edge | 15-25 seconds |
| Vivaldi | 15-30 seconds |
| Arc Browser | 15-30 seconds |
| Dia Browser | 15-30 seconds |
| Opera | ~60 seconds |
| Perplexity Comet | 15-35 seconds |
| ChatGPT Atlas | 15-60 seconds |
| Brave | 30-125 seconds |
Non-Chromium browsers escape unscathed: Firefox’s Gecko engine and Safari’s WebKit prove immune, as does iOS’s enforced WebKit policy, which bars native Chromium apps.
The exploit’s simplicity amplifies its threat. A live demo at brash.run simulates the attack invisibly, while local PoCs let users tweak intensity moderate for observation, extreme for rapid failure.
Code snippets enable easy integration, with options for delayed or scheduled triggers, turning benign pages into timed bombs.
Attackers could weaponize Brash in devastating ways. Time-delayed payloads lurk in phishing links, activating during high-stakes moments like stock trades or meetings, evading quick scans.
In AI-driven enterprises, it poisons headless browsers used for web scraping, paralyzing automated trading or compliance checks.
More alarmingly, scenarios envision life-threatening chaos: a surgeon’s web-assisted procedure derailed mid-operation, or a flash crash on Wall Street as traders’ terminals fail en masse during market open.
Banking fraud teams, too, face paralysis, allowing millions in unchecked transactions during peak volumes like Black Friday.
Jofpin emphasizes this as a design oversight, not a mere bug, urging Chromium developers to implement throttling. As the exploit remains operational until patched, users should exercise caution with untrusted sites.
Google has yet to respond publicly, but the disclosure highlights the need for robust safeguards in core web tech.
In an era of browser-dependent operations from finance to healthcare, such flaws underscore the web’s precarious balance between openness and security.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
