A vulnerability found in Google Chrome How to protect your files from being stolen
As a result of a vulnerability disclosed by Imperva's Red Team, dubbed CVE-2022-3656, there are currently over 5 billion users of Google Chrome and Chromium-based browsers that are susceptible to this vulnerability. It allows the theft of sensitive information such as crypto wallet keys and credentials of cloud providers.
It is estimated that Chrome has 652% market share, and that two other browsers in the top six, Opera and Edge, are built on Chromium, which is an open-source version of Chrome and has over 70% market share, making it one of the most popular browsers on the planet.
There are many advantages to using Chromium, including compatibility and security audits. However, this popularity also makes it more likely that cross-browser vulnerabilities will occur. The vulnerability in this case was discovered by examining the way the browser interacts with the file system, and specifically looking for common vulnerabilities related to how browsers process symlinks in order to identify these vulnerabilities.
A symlink is a link between two files.
It is a type of file that points to another file or directory, also known as a symbolic link. This type of file allows the operating system to treat the linked file or directory as if it was at the location where the symlink is located. In addition to creating shortcuts or redirecting file paths, this feature can also be useful in reorganizing files in a more flexible manner.
It is important to note, however, that symlinks can also create vulnerabilities when they are not handled correctly. According to the vulnerability that we disclosed to Google, it stems from the way in which the browser processes files and directories through symlinks. There is a specific problem with the browser's ability to detect if a symlink pointed to a location that wasn't intended to be accessed, which made it possible for sensitive files to be stolen.
There is a problem with symbolic link following that is commonly known as this issue.
Identifying the bug that is causing the problem
It was our aim to examine how Chrome and other Chromium-based browsers handle file systems. It came to our attention when we examined the APIs that developers commonly use to upload files, such as the Drop Event, File Input, or File System Access APIs, that do not usually deal with symbolic links when they are used. When they ask users for extra confirmation if they are uploading a lot of files at once, they even implement extra safety measures.
While testing, however, we found that if a file or folder is dropped on a file input, the file or folder is handled differently than if you drag the file or folder onto the file input itself. Symbolic links are addressed, recursively resolved, and the user does not receive an extra warning or confirmation.
An attack scenario can be described as follows:
- It is possible for an attacker to create a fake website offering a new crypto wallet service that he or she could exploit.
- Alternatively, the website could take advantage of the user by asking them to download their "recovery keys" in order for them to create a new wallet.
- Basically, these keys would be a zip file containing a symlink to a sensitive file or folder on a user's computer, such as a credential for a cloud provider.
- By removing and uploading the “recovery keys” back to the website, the attacker would be able to gain access to the sensitive file as soon as the user unzips and uploads it back to the website.
- If the website is designed to look legitimate and the process of downloading and uploading the recovery keys appears normal, the user may not even be aware that something is wrong, as they may not even realize there is anything wrong.
- In this scenario, we can see the potential impact that the symbolic link vulnerability can have on Chrome and Chromium browsers.
There are many online services, especially crypto wallets, that require users to download “recovery keys” in order to access their accounts. It is common for users to download these keys and upload them back to their website in order to verify the ownership of the account if they lose access any reason, such as forgetting their password, to their account. These keys serve as a backup in case an account owner loses access to their account for any reason.
This common practice would be exploited by the attacker in the attack scenario described above, as the attacker would provide a zip file containing a symlink to the user instead of the actual recovery key. Upon the user unzips and uploads the file, the symlink will be processed, allowing the attacker to access sensitive data on the computer by unzipping and uploading the file.
A proof-of-concept attack was created in order to demonstrate the potential impact of this vulnerability by manipulating the file input element in the Chrome or Chromium browser using CSS to manipulate the file name. It was our goal to ensure that any file dropped onto the page would be uploaded regardless of where it was dropped by making the file input element larger.
In this way, we have been able to exploit the symbolic link vulnerability in the user's file system, allowing us to steal files from it.
Using this proof-of-concept attack, we were able to develop a realistic scenario in which an attacker could trick an individual into visiting a malicious website, then exploit the symbolic link following vulnerability in Chrome to steal sensitive information. It is clear from this figure that this vulnerability could have serious consequences.
In our original bug report for the "SymStealer" vulnerability, we provided a proof-of-concept that you can view, download, and test out if you visit the Chromium bug tracker that we originally reported the vulnerability on. The full source code for the vulnerability is also available there.
You should be concerned about hackers stealing your crypto currency
It is becoming increasingly common for hackers to target individuals and organizations who hold cryptocurrency, because these digital assets are extremely valuable. There are a number of tactics hackers use to gain access to crypto wallets and take the funds they contain by exploiting vulnerabilities in software, such as the recently disclosed vulnerability that was recently disclosed.
Keeping your software up to date is essential for the protection of your crypto assets, and you must also avoid downloading files or clicking on links from untrusted sources in order to avoid viruses and malware. In addition to storing your cryptocurrencies in a hardware wallet, it is also wise to use a hardware wallet, as these devices are not connected to the internet and are less likely to be hacked.
The best way to reduce the risk of your crypto being stolen by hackers is to use a password manager that can create strong, unique passwords for your crypto accounts and enable two-factor authentication whenever possible. By taking these precautions, you can lessen the likelihood of your crypto being stolen by hackers.
Final thoughts
As soon as Imperva found out about this vulnerability and reported it to Google, the Imperva team realized that the first fix in Chrome 107 did not entirely resolve the issue.
In addition, Google was notified of the issue, which was resolved in Chrome 10 In order to protect against the latest vulnerabilities and ensure that your personal and financial information remains secure, it is important to keep your software up to date at all times.
It was a pleasure to work with the Google team and be able to contribute to making Chrome a safer and more secure browser for all users. We would like to take this opportunity to thank Google for their responsiveness and cooperation in addressing this issue.
As a team, we pride ourselves on our ability to identify and disclose vulnerabilities, and we are committed to collaborating with software vendors to ensure that the products on which our daily lives depend are made as secure as possible.