When a security vulnerability is discovered in any popular application or service, it has the potential to put many internet users at risk.
Recently, the Imperva Red Team discovered a vulnerability in Google Chrome and Chromium-based browsers that threatened 2.5 billion users and could lead to the theft of sensitive files like crypto wallet credentials.
Understanding how this vulnerability works can help the 20% of Americans that hold cryptocurrency safeguard their investment, and identify potentially malicious behavior.
Vulnerable Symlinks Capable of Providing Crypto Keys
This vulnerability, dubbed CVE-2022-3656, was discovered during a review of how Chrome and other Chromium-based browsers interact with file systems, specifically how the browser processes symlinks.
Symlinks, also referred to as a symbolic link, is a type of file that links to another file or directory, allowing the operating system to treat the secondary asset as if it lived at the symlink’s location. Symlinks are frequently used when redirecting file paths, creating shortcuts, or organizing files, making them critical to browser operability. The problem arises when they are not properly managed.
In the case of CVE-2022-3656, the browser did not adequately confirm whether the symlink was directed to a location that was actually intended to be accessible. This would allow for threat actors to access prohibited files and steal sensitive data. This practice is referred to as symbolic link following. When inspecting the APIs commonly used for file uploads, it was discovered that under certain circumstances, the browser incorrectly processed symbolic links, recursively resolving them without any additional warning or confirmation.
In practice, this presented another attack vector for threat actors. For instance, crypto wallets and other online services often require users who lose access to their account to download “recovery” keys which can then be uploaded to the website as a form of authentication. A threat actor could take advantage of this by creating a false crypto wallet website and tricking an unsuspecting victim into creating a new wallet by asking them to download what appears to be basic recovery keys. In reality, these keys would be a zip file containing a symlink to sensitive data on the user’s computer. When the file is unzipped and uploaded to the fake website, that symlink would be instantly processed, providing the threat actor with clear access to the sensitive file. In short, because Chromium-based browsers immediately process symlinks without any secondary authentication, users can be easily tricked into giving cybercriminals direct access to their most sensitive information, without even realizing it.
When in Doubt, Skip the Download and Bolster Defenses
After disclosing the vulnerability to Google, the issue was fully resolved in Chrome 108. However, individuals and organizations holding cryptocurrencies should be on alert to protect their credentials and their funds.
Most critically, it’s important to keep software up-to-date and avoid downloading files or clicking links from untrusted sources. Hardware wallets not connected to the internet should be used when storing cryptocurrency as they are less vulnerable. Additional protections like two-factor authentication should be used whenever possible.
This vulnerability is another reminder that users must be proactive against suspicious cyber activity, especially when sensitive cryptocurrency or data is involved.
Ron Masas, Lead Vulnerability Researcher, Imperva
Ron Masas is a Lead Vulnerability Researcher at Imperva. His research area includes privacy on the web, web application security, and side-channel attacks. His research has been acknowledged by famous vendors, including Apple, Google, and Facebook for contribution of discovering vulnerabilities and improving the security in their products.
The post Google Chrome Symlink Vulnerability: Protect Your Files appeared first on Industry Today.