CVE-2025-4664: Exploiting a Chrome 0day to Leak Session Tokens
A while ago, I stumbled across this intriguing tweet from security researcher Vsevolod Kokorin (@slonser_): slonser_’s tweet The three-line snippet was almost boring - create an <img> element, point the src at a user-controlled URL, drop it into the DOM. The thread that followed caught the attention of Google security engineer @terjanq, who replied: terjanq’s reply I checked the NIST page and found this in the linked Chrome release notes: ...