The post details the process of exploiting a vulnerability in Chrome's secure-payment-confirmation feature, which was introduced in version 86 and reported in September 2020. This vulnerability allows attackers to escape Chrome's sandbox environment, particularly in Android, by exploiting a use-after-free bug in the InternalAuthenticatorAndroid component. The author explains how to manipulate the ClipboardHost to spray the heap and leak memory addresses, which enables the execution of arbitrary shell commands. Due to Android's Zygote process, which shares library base addresses across processes, attackers can leverage known gadgets in preloaded libraries to bypass address space layout randomization (ASLR). Although traditional heap spraying methods using BlobRegistry are less effective in this context, alternative methods involving the clipboard and libwebp's Execute function are used to achieve the exploit. The post highlights the persistent security issues associated with Zygote's one-per-boot-ASLR, which undermines the robustness of Android's sandboxing mechanisms.