October 30, 2025

Tabocalypse Now

Article URL →HN comments →

Chromium Browser DoS Attack via Document.title Exploitation

Chromium bug makes tabs freeze fast — commenters say “lol, just a loop”

TLDR: A simple trick can freeze Chromium-based browsers by hammering the page title, while Firefox and Safari shrug. The community mostly mocks it as a basic infinite-loop crash and suspects AI hype, though some still want a fix because any web page that can stall your computer is a real-world headache.

A flashy new flaw claims it can make any Chromium-based browser (think Chrome, Edge, Brave, Opera) choke in under a minute by spamming the page title so fast the browser can’t breathe. The write‑up calls it “Brash,” touts billions at risk, and brags that Chrome and friends face‑plant while Firefox and Safari stroll by unfazed. But the crowd? They’re not buying the drama. The top vibe is: this isn’t elite hacking, it’s a glorified “make it spin until it dies.”

Nostalgia hit hard as one user joked about the old Internet Explorer days: “just throw alert in a forever loop.” Others went for the jugular, calling the repo “AI generated spam” and clowning on the use of hex numbers in tiny loops—“is that a hacker flex?” The spiciest take: this is as much a denial‑of‑service as forgetting to stop a loop—annoying, yes, but not exactly Hollywood hacking. Still, a few cautious voices note the uncomfortable truth: if any web page can lock your machine for a minute, that’s user‑pain, whether or not it’s “novel.”

So while the post claims Chrome, Edge, and pals topple in seconds and Firefox/Safari are immune, the comments are the real show—equal parts meme roast, eye‑roll, and “please patch this already” energy.

Key Points

  • “Brash” is a Blink rendering engine vulnerability exploiting unthrottled document.title updates to cause DoS.
  • The exploit is operational and affects Chromium versions up to 143.0.7483.0 (tested on 138.x, 141.x, 143.x).
  • Impact includes high CPU usage, event loop disruption, UI collapse, and system performance degradation.
  • Multiple Chromium-based browsers crash within 15–60 seconds; Firefox (Gecko) and Safari (WebKit) are immune.
  • The attack uses preloaded strings and burst injections (~24M updates/sec) to saturate the main thread.

Hottest takes

“you could just use the alert function in a while(true) loop” — zb3
“Repo looks to be entirely AI generated spam” — julia_j
“as much of a DoS as an unterminated while loop” — Etheryte

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.