Google Confirms Rising 'Account Takeover' Threat—Update This Chrome Setting Immediately
 |
| Google Confirms Rising 'Account Takeover' Threat—Update This Chrome Setting Immediately |
Google has issued an emergency security update for Chrome to address a critical vulnerability that security experts warn could lead to complete account takeovers. The flaw, tracked as CVE-2025-4664, has been actively exploited in the wild, prompting urgent warnings from cybersecurity agencies and researchers. With Chrome commanding over 3 billion users worldwide, this vulnerability represents one of the most significant browser security threats in recent memory, requiring immediate action from all users to protect their accounts and sensitive data.
Understanding the CVE-2025-4664 Vulnerability
The vulnerability stems from insufficient policy enforcement in Chrome's Loader component, which handles how the browser fetches and displays website resources. Unlike other major browsers, Chrome resolves Link headers on subresources in a way that creates a dangerous security gap.
Security researcher Vsevolod Kokorin of Solidlab discovered that a remote attacker could exploit this issue to leak cross-origin data via a crafted HTML page. The technical details reveal a fundamental flaw in how Chrome enforces same-origin policies, the critical security boundary that prevents one website from accessing data belonging to another.
Google rates the bug's severity as high, and for good reason—it can be exploited to perform account takeovers. The company has acknowledged that exploits for this vulnerability exist in the wild, meaning attackers are already using it in real-world attacks targeting Chrome users globally.
How the Attack Works
The vulnerability exploits Chrome's handling of referrer policies and query parameters in URLs. Query parameters can contain sensitive data, particularly in OAuth authentication flows, which might lead to account takeover. OAuth is the authorization framework used by countless websites and services to allow users to sign in without sharing passwords directly.
When using OAuth, the authentication data is passed through URL query parameters, and if an attacker can trick users into revealing their OAuth token in a URL, they can effectively bypass multi-factor authentication controls. This is particularly alarming because it means even users with MFA enabled remain vulnerable to these attacks.
Kokorin noted that developers rarely consider the possibility of stealing query parameters via an image from a third-party resource, which makes this trick surprisingly useful for attackers. By luring victims to malicious websites or compromising legitimate sites to inject malicious code, attackers can silently steal authentication tokens and session data without triggering obvious warning signs.
The Scope of the Threat
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog, a strong indication the vulnerability is being actively used in attacks. When CISA includes a vulnerability in this catalog, it signals that federal agencies and organizations must prioritize patching immediately.
The timing and nature of the exploitation suggest sophisticated threat actors may be behind these campaigns. Recent weeks have seen a spate of elaborate attacks attempting to steal OAuth tokens, as documented by multiple security vendors. While Google hasn't explicitly confirmed these campaigns are related to CVE-2025-4664, the correlation raises serious concerns about coordinated exploitation efforts.
With Chrome's massive user base exceeding 3 billion people worldwide, the potential impact is staggering. Every unpatched Chrome installation represents a potential entry point for attackers seeking to compromise accounts across email, social media, banking, corporate systems, and cloud services.
The Updated Versions You Need
Google has released emergency updates bringing Chrome to version 136.0.7103.113 for Windows and Linux, and version 136.0.7103.114 for macOS. These versions include fixes for CVE-2025-4664 along with three other security vulnerabilities discovered through Google's vulnerability reward program.
Chrome users on iOS and iPadOS are unaffected by this particular vulnerability, so there's no special security update for iPhone and iPad versions of the browser. However, Android users should update immediately, as the Android version of Chrome typically receives the same security fixes as desktop versions.
The updates are rolling out gradually to all users over the coming days and weeks through Chrome's automatic update mechanism. However, waiting for automatic updates could leave you vulnerable during the rollout period, making manual updates the safest approach.
How to Update Chrome Immediately
Updating Chrome manually is straightforward and takes only minutes. Visit the three-dotted options menu, choose Settings, then About Chrome, and let the browser fetch the latest version from Google's servers. When prompted, relaunch Chrome to complete the installation.
The desktop version of Chrome is programmed to check for updates on every relaunch, but many users keep their browsers running for days or weeks without closing them. This extended usage pattern means automatic updates never trigger, leaving installations vulnerable indefinitely.
If there is an update available, Chrome will notify you and start downloading it automatically. Then all you have to do is restart the browser in order for the update to complete. The entire process typically completes in under a minute, representing minimal disruption for maximum security benefit.
For Android users, visit the Google Play Store, search for Chrome, and tap the Update button if available. The mobile update process is equally quick and essential for protecting your accounts on smartphones and tablets.
Additional Security Vulnerabilities Patched
While CVE-2025-4664 represents the most critical threat, the emergency update addresses three additional security vulnerabilities discovered by external researchers. Google follows its standard practice of withholding detailed technical information about these flaws until the majority of users have updated, preventing opportunistic exploitation.
The update also mentions CVE-2025-4609, another critical flaw that, as far as Google knows, is not being actively exploited. The remaining two vulnerabilities are not itemized separately, suggesting they represent less severe security risks but still warrant patching.
This bundling of multiple fixes in emergency updates is standard practice for browser security, ensuring users receive comprehensive protection against all known threats in a single update cycle.
Beyond This Immediate Threat
This vulnerability represents just the latest in a concerning trend of Chrome security issues requiring emergency patches throughout the year. Earlier incidents included vulnerabilities exploited for account takeovers, GPU-related flaws in the macOS version, and zero-days used in targeted espionage campaigns.
OAuth provides a way of giving access to something without the need for a password, and it's useful in multiple scenarios, including single sign-on systems. The widespread adoption of OAuth across the internet means vulnerabilities affecting this authentication method have far-reaching implications beyond any single website or service.
Users should recognize that browser security updates represent critical infrastructure maintenance for digital safety. Browsers serve as the primary interface between users and the internet, making them attractive targets for attackers seeking to compromise accounts, steal data, or deploy malware.
Protecting Yourself Beyond Updates
While installing the Chrome update represents the most critical action, comprehensive security requires additional measures. Enable multi-factor authentication wherever possible, recognizing that while MFA can be bypassed in certain attack scenarios, it still provides valuable protection against most threats.
Avoid clicking links in unsolicited messages and emails from unknown senders, as these often serve as delivery mechanisms for malicious websites that exploit browser vulnerabilities. Verify website authenticity before entering credentials, watching for subtle domain misspellings or unusual URL structures that indicate phishing attempts.
Consider using password managers to generate and store unique, complex passwords for every account. This practice limits damage if attackers compromise one service, preventing credential stuffing attacks that exploit password reuse across multiple sites.
Regular security audits of your accounts help identify suspicious activity early. Review recent login locations and devices, check for unexpected password changes or recovery email modifications, and monitor financial accounts for unauthorized transactions.
Enterprise Considerations
Enterprises should always triage this type of flaw carefully, looking for versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. IT administrators must prioritize deploying these updates across all managed devices immediately, particularly given the active exploitation status.
Corporate environments face heightened risks from OAuth-related vulnerabilities because business systems extensively use single sign-on and federated authentication. A compromise affecting employee accounts could provide attackers with access to sensitive business data, intellectual property, customer information, and internal systems.
Organizations should verify that automatic Chrome updates are enabled across all endpoints and that users understand the importance of restarting browsers when prompted to complete updates. Security awareness training should emphasize that delaying browser restarts for updates creates unnecessary risk exposure.
The Broader Browser Security Landscape
Chrome's massive market share means vulnerabilities affecting it impact more internet users than flaws in any other single piece of software. This reality makes Chrome an attractive target for sophisticated attackers, including nation-state actors, cybercriminal organizations, and commercial spyware vendors.
Google's investment in security research, bug bounty programs, and rapid patching demonstrates the company's commitment to protecting users. However, the steady stream of critical vulnerabilities requiring emergency patches highlights the inherent challenges of securing complex software that interfaces with untrusted content from across the internet.
Users should maintain realistic expectations about browser security. No software is perfectly secure, and new vulnerabilities will continue emerging as researchers and attackers discover novel exploitation techniques. The key to staying safe lies in promptly installing updates, maintaining security awareness, and following best practices for online safety.
Conclusion
The CVE-2025-4664 vulnerability represents a serious threat to Chrome users worldwide, with confirmed active exploitation targeting account credentials and authentication tokens. The ability for attackers to bypass multi-factor authentication through OAuth token theft makes this vulnerability particularly dangerous, potentially compromising even security-conscious users who have enabled additional protections. Updating to Chrome version 136.0.7103.113 or later immediately is not optional—it's an essential security measure that every user must take to protect their accounts and data. Don't wait for automatic updates to eventually install; manually check for and install the update now, then restart your browser to ensure the protection takes effect. In cybersecurity, the difference between being secure and being compromised often comes down to how quickly you act when threats emerge, and this is one of those critical moments where your immediate action matters.