Symlink flaw is affecting more than two billion Chromium users, experts warn

computing

(Image credit: Shutterstock / Ink Drop)

Google Chrome and other Chromium-based browsers (opens in new tab) have been found carrying a high-severity vulnerability that allowed threat actors to steal people’s sensitive files, including the contents of their cryptocurrency wallets, and login credentials.

Cybersecurity experts from Imperva found that the way Chrome and Chromium-based browsers (used by some 2.5 billion people) interacted with file systems was flawed. More precisely, the way browsers process symlinks.

Symlinks, or symbiotic links, are files that point to another file, or directory, the researchers explain. They allow the OS to handle the linked file or directory as if it were at the symlink’s location. “This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” the researchers explained in a blog post (opens in new tab).

Potential attack scenarios

But if these files aren’t handled properly, they can introduce vulnerabilities, and the researchers discovered that the browser didn’t properly check if the symlink was pointing to a location designed to be inaccessible. 

Describing a potential attack scenario, the researchers said a threat actor could create a fake cryptocurrency wallet, and a website that would request the users to download their recovery keys. The downloaded file would actually be a symlink to a sensitive file or folder on the user’s computer. That file could be login credentials for a cloud provider, or something similar. The worst thing is that the victim would be completely oblivious to the fact that their sensitive data has been compromised. 

Read more

> Google Chrome bug could let dodgy websites mess with your clipboard
> A mystery bug is causing Google Chrome extensions to suddenly fail
> Keep yourself safe with the best ID theft protection solutions (opens in new tab)

What’s more, the strategy wouldn’t be too extreme, either, the researchers say, claiming “many crypto wallets and other online services” require users to download recovery keys to access their accounts. 

“In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys.” 

The vulnerability is now tracked as CVE-2022-3656 – an Insufficient data validation in File System flaw. Google has since addressed the issue and released Chrome 108 as a fix, so make sure you are running this version of the browser before downloading any recovery keys.

    Are you a pro? Subscribe to our newsletter

    Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

    By submitting your information you agree to the Terms & Conditions (opens in new tab) and Privacy Policy (opens in new tab) and are aged 16 or over.

    Sead Fadilpašić

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    TECH NEWS RELATED

    Xiaomi phone with Samsung E6 OLED breaks Android display brightness record

    Samsung recently showcased its newest OLED panel—E6 Super AMOLED—for smartphones that can reach up to 2,000 nits of peak brightness. It is the same panel used in the iPhone 14 Pro and the iPhone 14 Pro Max. Now, Android smartphone makers have started using the same panel, and Xiaomi’s ...

    View more: Xiaomi phone with Samsung E6 OLED breaks Android display brightness record

    Pixel 7 bug causes phone to freeze while watching YouTube and YouTube TV

    Despite being one of the best Android smartphones on the market, Google’s Pixel 7 suffers from several annoying bugs and problems that users have to contend with. One such bug has actually been plaguing users since the phone launched, but complaints continue to spring up. 9to5Google reports that the ...

    View more: Pixel 7 bug causes phone to freeze while watching YouTube and YouTube TV

    How to Install Any Add-on in Firefox for Android

    When Mozilla launched a re-designed version of Firefox for Android a few years back, it only came with support for a few add-ons – just for the sake of compatibility. Fast forward to present day and the restoration of full add-on support is not yet complete. The good news, ...

    View more: How to Install Any Add-on in Firefox for Android

    Newest Android version installed on a mere 5% of devices

    Android 13 is out of the reach of most users. In contrast, virtually all iPhone owners can install iOS 16. Photo: Ed Hardy/Cult of Mac It’s considered somewhat controversial that iOS 16 has been installed on only about 70% of iPhones four months after its release. But that’s a ...

    View more: Newest Android version installed on a mere 5% of devices

    Just How Popular Is Mobile Gaming on Android Devices?

    Mobile gaming exceeded any expectations regarding its profitability and popularity. Today is considered one of the fastest-growing entertainment sectors. It continues to attract new mobile gamers and expand the demographic of the gaming sector. In fact, it is one of the main reasons why gaming has become globally popular. ...

    View more: Just How Popular Is Mobile Gaming on Android Devices?

    Malware is Sneaking Into Google Search Ads

    Malware and viruses always, always, find a way. You need to be extra careful while browsing online, but sometimes, malware can still pop up in the places you least expect it — including in Google Search ads. Hackers and malware developers have set up fake websites for popular pieces ...

    View more: Malware is Sneaking Into Google Search Ads

    Five months after launching, Android 13 is running on 5.2% of devices

    In the past five months we’ve seen smartphone brands update their handsets to Android 13 as well as launch new models running this latest version of Android out of the box. While the likes of Samsung are leading the charge when it comes to issuing OS updates, there are ...

    View more: Five months after launching, Android 13 is running on 5.2% of devices

    You can now sign up for Twitter Blue on Android for $11 a month

    Ahh, Twitter. Gone are the days of applying for and failing to get verification for unspecified reasons, with Musk’s vision of Twitter Blue you can now sign up and pay your way to a verified tick. And from today onwards, you can even do so via the official Twitter ...

    View more: You can now sign up for Twitter Blue on Android for $11 a month

    Amazon, Meta and Google are actually spending big on clean energy

    Galaxy Tab S6 Lite (2020) gets Android 13 One UI 5.0 update

    10 Best Android Travel Apps To Plan Your Next Trip

    First post-Android 13 update to Galaxy A72 brings January 2023 security patch

    Galaxy A02 gets a new update but it’s not Android 12

    Google is testing way to measure distance between devices via Bluetooth

    Only 5.2% of devices running Android 13 five months after launch

    Galaxy S10 Lite Android 13 (One UI 5) update reaches the USA

    Everything you need to know on how to unlock Bluetooth support on the Stadia Controller

    How to back up and delete your Gmail so you don’t have to pay for storage

    Google’s rumored AirTag rival could be an Android moment for Bluetooth trackers

    US unlocked Galaxy S20 is finally getting Android 13 One UI 5

    OTHER TECH NEWS

    Top Car News Car News