I found a critical vulnerability in Chromium while building an encryption system. CVSS 9.6. Affects every Chromium-based browser on earth — Chrome, Edge, Brave, Opera, Arc, every Electron app. Over 100 vendors exposed.
I reported it to Google through responsible disclosure. They reviewed it. They acknowledged it. They marked it WontFix.
This is what that experience taught me.
The vulnerability is a Unicode homoglyph path injection in Native Messaging — the mechanism that lets your browser extensions talk to applications on your computer. Your password manager. Your security tools. Your enterprise software.
The attack: construct a file path using Unicode characters that look identical to Latin characters but are computationally different. Cyrillic “a” and Latin “a” are visually indistinguishable in most fonts. They are not the same character. An attacker can point a Native Messaging manifest at a malicious binary using a path that looks legitimate to every human who reads it.
The browser executes the malicious binary. The extension thinks it is talking to your password manager. It is not.
We demonstrated this against 1Password and Coinbase in controlled environments. CERT/CC coordinated the disclosure. BitWarden and KeePassXC independently confirmed their own exposure.
Google’s response was one word: Infeasible.
No timeline. No mitigation. No explanation. Just a classification and a closed ticket. The issue sits in their public tracker — anyone can read the full thread at issues.chromium.org/issues/482538021.
I have two theories about why they will not fix it.
Theory one is charitable: fixing the homoglyph attack surface in path validation would break internationalized paths on every non-English operating system. Unicode deliberately distinguishes between visually identical characters from different scripts. That distinction powers multilingual computing. A fix that normalises homoglyphs would break legitimate paths for billions of users. The technical difficulty is real.
Theory two is less charitable: the gap between what users see and what computers process is useful. Not only to attackers. To anyone who operates in the space between visual representation and computational reality. A browser that silently distinguishes between visually identical characters has capabilities that extend beyond rendering text.
I am not asserting that Google is exploiting this. I am asserting that the architecture permits capabilities that benefit certain actors, that Google is aware, and that WontFix preserves those capabilities.
The absence of explanation is itself data.
Here is the part that matters to me personally.
I found this vulnerability because I was studying Unicode’s visual ambiguity as an encryption medium. TreeChain encodes encrypted data as multilingual text across 133,387 Unicode characters from 180 language traditions. The output looks like poetry in Japanese, or runes in Old Norse, or hieroglyphs.
I was asking: how can the gap between what humans see and what machines process be used to protect data?
In that research, I discovered how the same gap can be used to attack.
The vulnerability and the cipher are the same research. The difference is direction.
What I learned from this experience is not about Chrome. It is about power.
When you find a vulnerability that affects 65 percent of the world’s browsers and the vendor says Infeasible, you learn something about the distance between finding a problem and fixing it. The distance is not technical. It is institutional.
Google can fix this. They choose not to. The distinction matters.
I also learned something about what it means to be a solo researcher.
I do not have a security team. I do not have a university behind me. I have a flat in Kielce, a patent filing, and a system that the co-creator of AES validated as strong and secure.
When CERT/CC coordinates your disclosure and two major password managers confirm your findings, you are no longer someone with an interesting idea. You are someone who found something real.
That is a different feeling. It comes with responsibility. The responsible disclosure window exists because publishing too early causes harm. I respected that window completely. The 90 days passed. Now I am talking.
The public issue tracker is at issues.chromium.org/issues/482538021. Anyone can read the full record — our report, Google’s response, the complete thread.
The full technical whitepaper is available to verified researchers at [email protected].
I found a hole in the world’s most popular browser. The vendor said they will not fix it. I waited. Now you know.
What you do with that information is up to you.