Google Chrome and other Chromium-based browsers (Opens in a new tab) A high-risk vulnerability has been found that allowed threat actors to steal people’s sensitive files, including the contents of cryptocurrency wallets and login credentials.
Cybersecurity experts from Imperva found that the way Chrome and Chromium-based browsers (used by about 2.5 billion people) interacted with file systems was flawed. More precisely, the way browsers handle symbolic links.
Researchers explain that symbolic links, or symlinks, are files that point to another file or directory. They allow the operating system to treat the linked file or directory as if it were at the symbolic link location. “This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” the researchers explained in a blog post. (Opens in a new tab).
possible attack scenarios
But if these files are not handled properly, they can introduce vulnerabilities, and the researchers discovered that the browser did not properly check whether the symbolic link pointed to a site designed to be inaccessible.
Describing a possible attack scenario, the researchers said any threat actor could create a fake cryptocurrency wallet, and a website asking users to download their recovery keys. The downloaded file will actually be a symbolic link to a sensitive file or folder on the user’s computer. This file can be your cloud provider’s login credentials, or something similar. The worst thing is that the victim will be completely oblivious to the fact that his sensitive data has been compromised.
What’s more, the strategy wouldn’t be too extreme, say the researchers, as they claim that “many cryptocurrency wallets and other online services” require users to download recovery keys to access their accounts.
“In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symbolic link instead of the actual recovery keys.”
The vulnerability is now being tracked as CVE-2022-3656 – Inadequate data validation in file system defect. Google has since addressed the issue and released Chrome 108 as a fix, so make sure you’re running that version of the browser before downloading any recovery keys.