A serious loophole in the Chrome browser has exposed billions of users’ files to hacking
Information security researchers found a serious security gap in Chrome and other browsers based on Chromium, affecting about 2.5 billion users worldwide.
Imperva researchers said that the gravity of the gap was that it allowed hackers to steal users’ sensitive files, including the content of cryptocurrency portfolios and login credentials.
According to the researchers, there is a glitch in the way Chrome browser and Chromium-based browsers (the open-source web browser project) interact with so-called code links in file systems.
The researchers explain that the symbolic links “Symlinks” are files that refer to a file or other manual in operating systems, and allow the system to treat the file or directory associated with the original files as if they were in the same location.
In a blog post, the researchers explained that “these (code links) can be useful for creating shortcuts, redirecting file paths or organizing files more flexibly.” However, if these files are not properly handled, they can become a weakness exploited by pirates.
Describing a possible attack scenario, the researchers said any pirate could create a fake cryptocurrency wallet and website asking users to download its recovery keys.
If the victim downloads those files, they may be symbolic links to a sensitive file or folder on the user’s computer, and because of the inadequacy of the browser’s handling of those files, it may result in the theft of cryptocurrency wallets and device dependency data.
The worst thing about it – according to researchers – is that the victim will be completely oblivious to the fact that his sensitive data has been hacked, especially since many cryptocurrency wallets and other online services require users to download recovery keys to access their accounts.
“In the attack scenario described above, the attacker will benefit from this common practice by providing the user with a compressed file containing a symbolic link, rather than actual recovery switches,” the researchers explained.
The vulnerability is now being tracked under the symbol “CVE-2022-3656” (CVE-2022-3656) and processed by Google with Chrome version “108”, so users are advised to install the latest version of the browser and Chromium-based browsers before downloading any recovery keys.
