Google Chrome and other Chromium-based browsers (opens in a new tab) A high-severity vulnerability was discovered that allowed cybercriminals to steal users’ confidential files, including the contents of their cryptocurrency wallets and login credentials.
Cybersecurity experts at Imperva have found that the way Chrome and Chromium-based browsers (used by approximately 2.5 billion people) interact with file systems is flawed. More specifically, the way browsers process symbolic links.
Symbolic links, or symbiotic links, are files that point to another file or directory, the researchers explain. They allow the operating system to serve the linked file or directory as if it were in the symbolic link location. “This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” explained the researchers at blog post (opens in a new tab).
Potential attack scenarios
But if these files are not handled properly, they can introduce security vulnerabilities, and researchers found that the browser was not properly checking that the symbolic link points to a location that is intended to be inaccessible.
Describing a potential attack scenario, the researchers said that a cybercriminal could create a fake cryptocurrency wallet and website that would request users to download recovery keys. The downloaded file would actually be a symbolic link to a confidential file or folder on the user’s computer. This file may be your cloud provider login credentials or something similar. The worst part is that the victim would be completely unaware of the fact that their sensitive data has been compromised.
Moreover, the strategy wouldn’t be too extreme, the researchers say, claiming that “many crypto wallets and other online services” require users to download recovery keys in order to access their accounts.
“In the attack scenario described above, an attacker would take advantage of this common practice by providing the user with a ZIP file containing a symbolic link instead of actual recovery keys.”
The vulnerability is now tracked as CVE-2022-3656 – Insufficient File System Data Validation Vulnerability. Google has since addressed this issue and released Chrome 108 as a fix, so make sure you’re using that version of the browser before downloading any recovery keys.