 |
| A critical vulnerability in Chrome could affect billions of users |
Information security researchers based on the Chromium project have discovered a critical vulnerability in Chrome and other browsers, affecting approximately 2.5 billion users worldwide.
The severity of the bug, Imperva researchers said, is that hackers can steal sensitive files from users, including: the contents of cryptocurrency wallets and login credentials.
According to the researchers, there is a flaw in the way Chrome and browsers based on the Chromium open source web browser project interact with so-called symbolic links in the file system.
The researchers explained that symlinks (symlinks) are files that point to another file or directory in the operating system, and allow the system to treat the file or directory associated with the original file as if they were in the same location.
"These (symbolic links) can be used to create shortcuts, redirect file paths, or organize files more flexibly," the researchers explained in a blog post on Imperva. But if these files are mishandled, they can become vulnerabilities that hackers can exploit.
Describing a possible attack scenario, the researchers said hackers could create a fake cryptocurrency wallet and website asking users to upload their recovery keys.
When victims download these files, they can be symbolic links to sensitive files or folders on the user's computer, and due to a malfunction in the browser's handling of these files, this can lead to theft of cryptocurrency wallets and device credentials.
What's worse, researchers say, is that victims completely forget about the fact that their sensitive data was compromised, especially since many cryptocurrency wallets and other online services require users to download recovery keys to access their accounts.
"In the attack scenario described above, attackers would exploit this common practice by providing users with zip files containing symbolic links instead of physical recovery keys," the researchers said.
The vulnerability is currently being tracked with ID (CVE-2022-3656) and Google has fixed the vulnerability via Chrome browser version 108, so users are advised to install the latest version of the browser and a browser based on the Chromium project before pre-downloading the recovery key.