The bug tracker entry that contains the technical details was accessible long enough to be archived by users, and a copy can be easily found online even though the original entry is now set to private again.
The flaw abuses the Service Worker feature and the Background Fetch API, which allows websites to initiate downloads in the background, such as a video. This feature was introduced in 2018 and Google said at the time:
“If the user closes pages to your site after step 1, that’s ok, the download will continue. Because the fetch is highly visible and easily abortable, there isn’t the privacy concern of a way-too-long background sync task. Because the service worker isn’t constantly running, there isn’t the concern that it could abuse the system, such as mining bitcoin in the background.”
Rabane found that neither of those promises are true, at least not on all platforms and not on all Chromium-based browsers. For example, in the stable Google Chrome version at the time, in December 2022, the download was visible in the download bar, but in the canary version that introduced a new UI, the download seemed like a glitch being stuck at 0B and not showing the source.
