Executive Summary

A critical vulnerability in the Chromium native messaging implementation allows an attacker to achieve Arbitrary Code Execution and Man-in-the-Middle (MITM) control over secure communication channels between browser extensions and desktop applications.

By exploiting a lack of Unicode normalization in manifest paths, an attacker can redirect browser calls from trusted extensions (e.g., 1Password, Bitwarden, Coinbase Wallet) to a malicious binary using visually identical filesystem paths.

The attack requires only standard user-level access. No privilege escalation. No modification of existing application files. The attacker drops a single poisoned manifest into a user-writable directory.

Technical Proof of Concept

The attack targets the NativeMessagingHosts directory. Chromium reads a JSON manifest and executes the path field without applying NFKC normalization or ASCII validation.

The Path Substitution

On Linux (ext4) and macOS (APFS), these are distinct filesystem locations. A standard user can write a poisoned manifest to their local config directory, redirecting all sensitive extension traffic to an attacker-controlled binary.

Byte-Level Proof

Original: 2f6f70742f3150617373776f72642f3150617373776f72642d42726f77736572537570706f7274
Poisoned: 2f6f70742f3150617373776f72642f31cea1617373776f72642dce92726f77736572537570706f7274
                                          ^^^^                    ^^^^
                                      Greek Rho                Greek Beta

Filesystem Verification

#!/usr/bin/env python3
import os, tempfile, shutil
tmpdir = tempfile.mkdtemp()
orig = os.path.join(tmpdir, "1Password")
fake = os.path.join(tmpdir, "1\u03a1assword")  # Greek Rho U+03A1
os.makedirs(orig); os.makedirs(fake)
open(os.path.join(orig, "t"), "w").write("ORIGINAL")
open(os.path.join(fake, "t"), "w").write("FAKE")
a = open(os.path.join(orig, "t")).read()
b = open(os.path.join(fake, "t")).read()
print("VULNERABLE!" if a != b else "NOT VULNERABLE")
shutil.rmtree(tmpdir)

Result on Linux ext4: VULNERABLE!

Impact Matrix: Exploit Validation

Key Evidence: 1Password Interception

{
  "callbackId": 1725629103,
  "invocation": {
    "type": "NmRequestAccounts",
    "content": {
      "version": 1,
      "userRequested": false,
      "supportsDelegation": true
    }
  }
}

The Chromebook Irony

This research was conducted entirely on a Chromebook — a device Google markets as “Secure by Default.” The browser completely abdicates its role as the trust authority by executing a path containing Greek Rho instead of Latin P without question.

Second Vector: Coinbase Wallet Extension Spoofing

A second, distinct attack vector was discovered in the same research. Chrome does not normalize Unicode in extension names before displaying them on the chrome://extensions page.

By using the Unicode Fraction Slash (U+2044: ⁄) instead of the standard forward slash (U+002F: /), an attacker crafts an extension name that Chrome displays as what appears to be a legitimate system path:

Chrome renders both identically on the extensions management page. The victim believes they are looking at a legitimate Coinbase Wallet installed from a trusted system directory.

The working PoC extension demonstrates:

1. UI InjectionWhen the victim visits coinbase.com, a fake “Security Update Required” overlay prompts for their 12-word recovery phrase.
2. Clipboard MonitoringCaptures all copied text — wallet addresses, seed phrases, private keys.
3. Wallet Traffic InterceptionMonitors all URLs containing “wallet,” “coinbase,” or “metamask.”
4. Visual Trust ExploitationChrome’s own extensions page displays the spoofed path as legitimate, lending false credibility to the malicious extension.

Vendor Response Audit

This disclosure was reported to 12 organizations between February 7–16, 2026. Their responses reveal a systemic industry failure: a chaotic mix of validation, denial, and abdication.

Vendors Who Validated

Vendors Who Denied

Vendors Who Abdicated

The Munich Hypocrisy

In February 2019, Google published a whitepaper at the Munich Security Conference — a stage traditionally reserved for heads of state and defense ministers — titled “How Google Fights Disinformation.”

The paper outlined three pillars of their defense against disinformation:

1. Make Quality Count: Promoting authoritative sources.
2. Counteract Malicious Actors: Removing deceptive content.
3. Give Users Context: Providing tools to identify what is real.

Google claimed that “impersonation and the misrepresentation of ownership” are harms they tackle at scale because they undermine the trust users place in their services.

When presented with a working demonstration that their browser facilitates impersonation at the binary level — allowing a Greek character to masquerade as a Latin character and redirect execution of security-critical software — Google marked it WontFix.

Institutional Erasure

When the technical evidence on Chromium Issue 482538021 became too heavy to carry, the conversation shifted from the vulnerability to the researcher. Vivaldi’s Security Group, operating on Google’s own infrastructure, posted:

This statement was made after the researcher had provided byte-level filesystem verification, working proof-of-concept code, intercepted 1Password traffic logs, and a detailed technical rebuttal of Vivaldi’s “physical access” framing.

The “AI” label was not a technical assessment. It was a kill switch. By labeling verified human research as bot-generated content, Vivaldi signaled to every other downstream vendor that the data was “noise.” They attacked the medium to avoid the message.

This is the ultimate proof of the Munich Hypocrisy: Google claims to fight the fragmentation of truth, yet they provide the platform for downstream partners to suppress legitimate security research using disinformation tactics.

Timeline of Suppression

Full Disclosure Timeline

Remediation & Mitigation

Since Google will not enforce normalization at the engine level, the responsibility falls on extension developers and system administrators.

For Extension Developers

1. Mandatory NFKC NormalizationBefore passing any path or identifier to an IPC channel, normalize the string. Greek Rho collapses to Latin P. The poisoned path becomes identical to the legitimate one. This is a single function call.
2. Mixed-Script DetectionIf a manifest path contains characters from both Latin and Greek/Cyrillic scripts, flag it as a spoofing attempt and reject execution.
3. Binary Integrity ChecksummingVerify a SHA-256 hash of the native host binary against a known-good value stored within the extension package before establishing communication.
4. Path Character AllowlistingReject any manifest path containing characters outside the ASCII range (U+0020–U+007E).

import unicodedata
def is_safe_path(path):
    normalized = unicodedata.normalize('NFKC', path)
    return all(ord(c) < 128 for c in path) and path == normalized

For System Administrators

1. Restrict Write AccessAudit ~/.config/google-chrome/NativeMessagingHosts/. Ensure only authorized processes have write permissions.
2. AppArmor/SELinux ProfilingRestrict Chrome to executing binaries only from a strict allowlist of known-good paths.
3. Filesystem Integrity MonitoringDeploy AIDE, Tripwire, or osquery to detect unauthorized additions to native messaging directories.

The TreeChain Solution

This discovery is the direct result of building the TreeChain Polyglottal Cipher™ — an encryption architecture that operates across 133,387 Unicode characters and 202 languages. By mapping the behavior of the full Unicode space, we identified that the modern web’s trust model is built on a Visual Fallacy — the assumption that if two things look the same, they are the same.

1. Mandatory NFKC NormalizationEvery string is normalized before any operation. Greek Rho collapses to Latin P. No redirect possible.
2. Bijective Glyph MappingCharacters map to curated Unicode blocks with one-to-one mappings per epoch window. No ambiguity.
3. HMAC-Bound Path VerificationIdentifiers are bound to cryptographic authentication. Homoglyph survives normalization? HMAC fails.
4. Bidirectional Control StrippingDirectional overrides (U+202A–U+202E, U+2066–U+2069) stripped before processing.
5. Mixed-Script DetectionLatin + Greek in the same token? Flagged as confusable before it touches any filesystem.
6. Epoch-Bound Rotor RotationGlyph mappings rotate every 300 seconds. No static mapping to poison.
7. Canonical Hash BindingEvery identifier hashed against its NFKC-normalized form via SHA-256.

Vulnerability Classification

Conclusion: Picking Up the Pieces

Google’s 2019 Munich whitepaper was titled “The Great Puzzle: Who Will Pick Up the Pieces?”

We now have the answer.

When a security researcher demonstrated that Chrome’s native messaging facilitates binary-level impersonation — the exact “misrepresentation of ownership” Google pledged to fight — the response was WontFix. When the evidence became undeniable, the conversation shifted to attacking the researcher. When downstream vendors asked who was responsible, Google said it was “by design.” When asked for further comment, Google’s security team replied: “I have no further comment on this issue to make.”

By marking this vulnerability WontFix, publicly disclosing the issue themselves (Comment #6), and refusing further engagement, Google forfeited the standard 90-day responsible disclosure window. The severity of the vulnerability — affecting approximately 3.5 billion browser installations and every password manager on every Chromium-based browser — necessitated immediate public disclosure.

The fix is not complex. NFKC normalization is a single function call. Mixed-script detection is a solved problem. Binary integrity verification is standard practice. The tools exist. The knowledge exists. The only thing missing is the will to implement them.

TreeChain Labs built the Polyglottal Cipher to encrypt data across 133,387 Unicode characters and 202 languages. In doing so, we solved this class of vulnerability architecturally — not as a patch, but as a foundational design principle.

Where Google sees an “infeasible” bug, TreeChain sees a call to build a system where identity is structural, not visual. We don’t just fight disinformation — we make it mathematically impossible.

We are picking up the pieces.