>
Google Chrome and other Chromium-based browsers (opens in new tab) have been found with a very serious vulnerability that allowed attackers to steal sensitive files from people, including the contents of their cryptocurrency wallets and credentials.
Cybersecurity experts at Imperva found that the way Chrome and Chromium-based browsers (used by some 2.5 billion people) handled file systems was flawed. More precisely, the way browsers handle symlinks.
Symlinks, or symbiotic links, are files that point to another file or folder, the researchers explain. They allow the operating system to treat the linked file or directory as if it were located at the location of the symbolic link. “This can be useful for creating shortcuts, redirecting file paths or organizing files in a more flexible way,” the researchers explained in a blog post (opens in new tab).
Potential attack scenarios
But if these files aren’t handled properly, they can introduce vulnerabilities, and the researchers found that the browser didn’t properly check whether the symbolic link pointed to a location designed to be inaccessible.
When describing a possible attack scenario, the researchers said a threat actor could create a fake cryptocurrency wallet, and a website that would ask users to download their recovery keys. The downloaded file would actually be a symbolic link to a sensitive file or folder on the user’s computer. That file could be credentials for a cloud provider or something similar. The worst part is that the victim is completely unaware that their sensitive data has been compromised.
Moreover, the strategy wouldn’t be too extreme either, say the researchers, who claim that “many crypto wallets and other online services” require users to download recovery keys to access their accounts.
“In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symbolic link instead of actual recovery keys.”
The vulnerability is now tracked as CVE-2022-3656 – an insufficient data validation flaw in the file system. Google has since addressed the issue and released Chrome 108 as a fix, so make sure you’re running this version of the browser before downloading recovery keys.