A new threat to Chrome users has appeared. But along with it comes news about how to avoid this Chrome security flaw. The high-severity vulnerability in Google Chrome and other Chromium-based browsers was discovered recently. This flaw allows threat actors to steal users’ personal data. The data includes the contents of their cryptocurrency wallets and login passwords.
Imperva’s cybersecurity specialists discovered the problem. It was in how the roughly 2.5 billion users of Chrome and Chromium-based browsers interacted with file systems. More specifically, how browsers handle symlinks.
According to the researchers, symlinks are files that point to another file or directory. They enable the OS to manage the linked file or directory just as if it were present where the symlink is. The researchers wrote in a blog post, “This can be beneficial for generating shortcuts, redirecting file routes, or organizing files in a more flexible fashion.”
READ MORE: Microsoft Acquires Fungible
How to avoid this Chrome security flaw: possibly violent scenarios
The researchers found that the browser failed to correctly check to see if the symlink was referring to a location intended to be inaccessible. This means that if these files aren’t handled properly, they potentially present vulnerabilities.
According to the researchers, a threat actor could construct a phony cryptocurrency wallet and a website that would ask users to obtain their recovery keys in order to launch an attack. A genuine symlink to a private file or folder on the user’s computer would be contained in the downloaded file. It’s possible that the file contains cloud provider login information or anything similar. The worst case scenario is that the victim would be unaware that their private information has been hacked.
Additionally, the researchers suggest that the technique wouldn’t be overly severe because “many crypto wallets and other online businesses” require users to obtain recovery keys in order to access their accounts.
The attacker would take advantage of this widespread practice in the attack scenario mentioned above. This is done by giving the victim a zip file containing a symlink rather than actual recovery keys.
The bug is currently identified as Insufficient data validation in File System vulnerability (CVE-2022-3656). Make sure you are using Chrome 108 before downloading any recovery keys. Google has subsequently fixed the problem and released it as a repair.