Researchers at Imperva have revealed their hand in uncovering and fixing a potentially dangerous vulnerability in Google’s Chrome and Chromium-based browsers that, left untreated, could have enabled threat actors to steal sensitive files from more than 2.5 billion worldwide users of the web browsing technology.
Tracked as CVE-2022-3656, the vulnerability was first uncovered in 2022 by Imperva’s red team, which was looking into how the browser interacts with the file system, specifically in how browsers process symbolic links – also known as symlinks.
Symlinks are files that point to another file or directory, which enable the operating system to treat the linked file as if it were present at the symlink’s location. They are used for creating shortcuts, redirecting file paths, or better organising files, explained Imperva’s Ron Masas, who is credited with discovering the bug.
“In the case of the vulnerability we disclosed to Google, the issue arose from the way the browser interacted with symlinks when processing files and directories,” explained Masas in his write-up.
“Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files. This issue is commonly known as symbolic link following.”
In one potential attack scenario exploiting CVE-2022-3656, an attacker could create a fake website to offer a crypto wallet service, tricking the user into creating a new wallet by downloading supposed recovery keys in the form of zip file, which in fact contained a symlink to a sensitive file or folder on the user’s computer, such as a cloud service credential.
If the file was unzipped and the malicious recovery keys uploaded back to the website, the symlink would be processed and the attacker would gain access to the sensitive file.
In such a scenario, the victim may not even notice they had been tricked, since a great many crypto wallets or other online services require their users to download recovery keys to serve as backups should they lose access to their account, perhaps because they had forgotten their password.
Masas was able to create a proof-of-concept attack using CSS to manipulate the file input element in the browser. When the file input element was made larger, he was able to ensure any file dropped onto the page would be uploaded, which in turn let him exploit the symlink vulnerability to exfiltrate files.
He noted that cyber criminals are increasingly targeting people holding cryptocurrencies by exploiting software vulnerabilities to access their wallets and steal funds, so if using Chrome or a Chromium-based browser – such as Microsoft Edge – it is important to keep them up to date, and to exercise increased diligence when downloading files. Users may also wish to consider using a hardware wallet to store crypto assets, and improving the security of their credentials with password managers or multifactor authentication (MFA).
Masas reported the symlink vulnerability to Google, which issued a fix in the Chrome 107 update on 25 October 2022. However, when Masas and his team tested this out, they found that the issue was not fully addressed. It has now been fully resolved in the Chrome 108 update, which was released on 29 November (note this additional fix is not disclosed in Google’s official release update).
“We would like to thank Google for their response to this issue and for their cooperation in addressing it,” said Masas.
“It was a privilege to work with the Google team and help make Chrome a safer and more secure browser for all users. We take pride in our ability to identify and disclose vulnerabilities, and we are committed to working with software vendors to ensure that the products we all rely on are as secure as possible.”