Danny Weber
18:44 06-02-2026
© RusPhotoBank
A serious Chrome vulnerability enables malicious extensions to steal confidential data from address bar URLs, including tokens and API keys, using timing attacks.
A serious vulnerability has been discovered in the Google Chrome browser, allowing extensions to directly harvest confidential user data from the address bar. This puts authorization tokens, password reset links, API keys, and other secrets at risk—data that services often transmit in the URL following the '?' symbol.
Cybersecurity expert Luan Herrera brought attention to the issue. He noted that the attack doesn't require elevated privileges or suspicious permissions; access to the standard declarativeNetRequest API is sufficient. This is the same mechanism used by most ad and tracker blockers.
The vulnerability's core lies in request processing timing. Chrome handles requests blocked via this API significantly faster than regular ones, with differences potentially reaching tens of milliseconds. By exploiting this timing gap, a malicious extension can analyze browser behavior and, step by step, reconstruct the full page URL, including hidden parameters containing sensitive data.
In practice, an attacker can essentially 'guess' the address character by character by reloading the page and measuring the response time. As a result, users risk losing access to email, social networks, financial services, and other critical accounts without ever suspecting a thing.
A proof-of-concept exploit has proven successful across all current Chrome versions, from the stable release to Dev and Canary builds. Google has acknowledged the problem but stated that fixing it within the browser's current architecture is virtually impossible.