Browser-Security on HackingPassion.com : root@HackingPassion.com-[~]

Google Leaked the Chrome Bug That Turns Your Browser Into a Botnet

Sun, 07 Jun 2026 13:36:33 +0200

A single visit to one website can quietly turn your browser into part of a botnet, and the working code to do it is now still sitting out in the open.

It affects Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and almost every browser built on Chromium. Someone flagged it to Google back in 2022. Google sat on it for almost four years, and then leaked the exploit code itself, by accident, on its own bug tracker.

FROST Lets a Website See Which Sites and Apps You Have Open by Timing Your SSD

Sat, 30 May 2026 11:34:44 +0200

FROST lets a website time your SSD and see which sites and apps you have open, even ones running in a different browser. It needs no malware and nothing to install. Opening the page is all it takes. While you sit there reading whatever the attacker put on screen, the page is quietly measuring how busy your drive is, and from that alone it works out what else you are running.

Google Chrome Silently Installs a 4 GB AI Model on Your Machine Without Asking

Wed, 06 May 2026 13:41:41 +0200

Google Chrome installed a 4 GB AI model on your machine without asking. The pitch is that it runs locally, keeping your data off Google’s servers. The AI button you actually see in your browser sends everything to Google anyway.

Privacy researcher Alexander Hanff found this during a routine web audit in late April and published his full analysis on 4 May 2026, two days ago. He had built a Chrome profile to run automated tests, the kind where software loads web pages in the background and measures what happens. The profile received no human input whatsoever: nobody moved the mouse, hit a key, or touched the address bar. Chrome just ran quietly in the background doing its thing.

Microsoft Edge Stores Every Saved Password in Cleartext Memory at Startup

Tue, 05 May 2026 10:56:56 +0200

Microsoft Edge loads every saved password into memory the moment the browser opens. They sit there in plain readable text for the entire session, even for sites that are never visited during that session. Microsoft’s official response: this is by design.

A security researcher who goes by @L1v1ng0ffTh3L4N decided to test every major Chromium-based browser to see how each one actually handles stored credentials while running. He went through them one by one. Edge was the only browser he found behaving this way. He took his findings to the BigBiteOfTech conference on April 29, presented them there with Palo Alto Networks Norway, and then posted a proof-of-concept video on May 4 that pulled in 5,900 responses within hours. He also put a small tool on GitHub called EdgeSavedPasswordsDumper so anyone could check this on their own machine.

Linux Inside a PDF

Mon, 26 Jan 2026 10:30:00 +0100

Linux running inside a PDF. An actual working operating system with a terminal where you can type commands. Open a PDF in Chrome. Wait 30 seconds. You now have a working Linux terminal. No installation, no software, just a 6MB file that boots an entire operating system.

A high school student named Allen built this, the same kid who previously crammed Doom into a PDF. Before that he made tools to bypass school software restrictions and exploits to boot Linux on locked-down Chromebooks.

Your iPhone Just Got Owned: iOS WebKit Zero-Days Require No Click (CVE-2025-43529)

Mon, 12 Jan 2026 12:12:00 +0100

Your iPhone can be compromised by loading a webpage. No click. No download. Just visit the wrong site. Apple patched this a month ago. Only 16% of users have updated. 🤔

StatCounter data from January 2026:

→ iOS 26 (all versions): 16% of iPhones

→ iOS 18 (unpatched): over 60% of iPhones

For comparison, iOS 18 reached 63% adoption by January 2025. iOS 26 is at less than one quarter of that rate. The lowest adoption Apple has seen in years.