Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk

Jan 12, 2023Ravie LakshmananBrowser Security / Data Safety

Details have emerged about a now-patched vulnerability in Google
Chrome and Chromium-based browsers that, if successfully exploited,
could have made it possible to siphon files containing confidential
data.

“The issue arose from the way the browser interacted with
symlinks ^[1]
when processing files and directories,” Imperva researcher Ron
Masas said ^[2]. “Specifically, the
browser did not properly check if the symlink was pointing to a
location that was not intended to be accessible, which allowed for
the theft of sensitive files.”

Google characterized the medium-severity issue (CVE-2022-3656)
as a case of insufficient data validation in File System, releasing ^[3]
fixes ^[4]
for it in versions 107 and 108 released in October and November
2022.

Dubbed SymStealer, the vulnerability, at its core, relates to a
type of weakness known as symbolic link (aka symlink) following,
which occurs ^[5]
when an attacker abuses the feature to bypass the file system
restrictions of a program to operate on unauthorized files.

Imperva’s analysis ^[6]
of Chrome’s file handling mechanism (and by extension Chromium)
found that when a user directly dragged and dropped a folder onto a
file input element ^[7], the browser resolved
all the symlinks recursively without presenting any warning.

In a hypothetical attack, a threat actor could trick a victim
into visiting a bogus website and downloading a ZIP archive file
containing a symlink to a valuable file or folder on the computer,
such as wallet keys and credentials.

When the same symlink file is uploaded back to the website as
part of the infection chain – e.g., a crypto wallet service that
prompts users to upload their recovery keys – the vulnerability
could be exploited to access the actual file storing the key phrase
by traversing the symbolic link.

To make it even more reliable, a proof-of-concept (PoC) devised
by Imperva employs CSS trickery to alter the size of the file input
element such that the file upload is triggered regardless of where
the folder is dropped on the page, effectively allowing for
information theft.

“Hackers are increasingly targeting individuals and
organizations holding cryptocurrencies, as these digital assets can
be highly valuable,” Masas said. “One common tactic used by hackers
is to exploit vulnerabilities in software […] in order to gain
access to crypto wallets and steal the funds they contain.”

Found this article interesting? Follow us on Twitter ^[8]
and LinkedIn ^[9]
to read more exclusive content we post.

References

^{^}
symlinks
(en.wikipedia.org)
^{^}
said
(www.imperva.com)
^{^}
releasing
(chromereleases.googleblog.com)
^{^}
fixes
(chromereleases.googleblog.com)
^{^}
occurs
(cwe.mitre.org)
^{^}
analysis
(bugs.chromium.org)
^{^}
file
input element (developer.mozilla.org)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)