Symlink flaw is affecting more than two billion Chromium users, experts warn
(Image credit: Shutterstock / Ink Drop)
Google Chrome and other Chromium-based browsers (opens in new tab) have been found carrying a high-severity vulnerability that allowed threat actors to steal people’s sensitive files, including the contents of their cryptocurrency wallets, and login credentials.
Cybersecurity experts from Imperva found that the way Chrome and Chromium-based browsers (used by some 2.5 billion people) interacted with file systems was flawed. More precisely, the way browsers process symlinks.
Symlinks, or symbiotic links, are files that point to another file, or directory, the researchers explain. They allow the OS to handle the linked file or directory as if it were at the symlink’s location. “This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way,” the researchers explained in a blog post (opens in new tab).
Potential attack scenarios
But if these files aren’t handled properly, they can introduce vulnerabilities, and the researchers discovered that the browser didn’t properly check if the symlink was pointing to a location designed to be inaccessible.
Describing a potential attack scenario, the researchers said a threat actor could create a fake cryptocurrency wallet, and a website that would request the users to download their recovery keys. The downloaded file would actually be a symlink to a sensitive file or folder on the user’s computer. That file could be login credentials for a cloud provider, or something similar. The worst thing is that the victim would be completely oblivious to the fact that their sensitive data has been compromised.
> Google Chrome bug could let dodgy websites mess with your clipboard
> A mystery bug is causing Google Chrome extensions to suddenly fail
> Keep yourself safe with the best ID theft protection solutions (opens in new tab)
What’s more, the strategy wouldn’t be too extreme, either, the researchers say, claiming “many crypto wallets and other online services” require users to download recovery keys to access their accounts.
“In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys.”
The vulnerability is now tracked as CVE-2022-3656 – an Insufficient data validation in File System flaw. Google has since addressed the issue and released Chrome 108 as a fix, so make sure you are running this version of the browser before downloading any recovery keys.
Are you a pro? Subscribe to our newsletter
Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.