This Google Chrome security flaw could affect billions of users

Silhouette of a hand holding a padlock infront of the google chrome logo
(Image credit: Shutterstock / Ink Drop)

Google Chrome and other Chromium-based browsers have been found carrying a high-severity vulnerability that allowed threat actors to steal people’s sensitive files, including the contents of their cryptocurrency wallets, and login credentials.

Cybersecurity experts from Imperva found that the way Chrome and Chromium-based browsers (used by some 2.5 billion people) interacted with file systems was flawed. More precisely, the way browsers process symlinks.

Symlinks, or symbiotic links, are files that point to another file, or directory, the researchers explain. They allow the OS to handle the linked file or directory as if it were at the symlink’s location. “This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” the researchers explained in a blog post.

Potential attack scenarios

But if these files aren’t handled properly, they can introduce vulnerabilities, and the researchers discovered that the browser didn’t properly check if the symlink was pointing to a location designed to be inaccessible. 

Describing a potential attack scenario, the researchers said a threat actor could create a fake cryptocurrency wallet, and a website that would request the users to download their recovery keys. The downloaded file would actually be a symlink to a sensitive file or folder on the user’s computer. That file could be login credentials for a cloud provider, or something similar. The worst thing is that the victim would be completely oblivious to the fact that their sensitive data has been compromised. 

What’s more, the strategy wouldn’t be too extreme, either, the researchers say, claiming “many crypto wallets and other online services” require users to download recovery keys to access their accounts. 

“In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys.” 

The vulnerability is now tracked as CVE-2022-3656 - an Insufficient data validation in File System flaw. Google has since addressed the issue and released Chrome 108 as a fix, so make sure you are running this version of the browser before downloading any recovery keys.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Google Chrome extensions targeted by hackers to steal user passwords
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does