



Jan 13, 2023

A high-severity vulnerability patched by Google Chrome a few months ago allowed hackers to steal sensitive files such as crypto wallets.

A vulnerability in the Chromium web browser project affects billions of people around the world. Because Chromium is the foundation of Google’s leading web browser, Chrome, and powers the Microsoft Edge and Opera browsers. Taken together, Chromium technology accounts for more than 70% of his web browser share worldwide, cybersecurity firm Imperva said in a blog post detailing the bug tracked as CVE-2022-3656. increase.

Imperva researcher Ron Masas says he discovered the flaw while studying how Chromium browsers handle file systems. The company disclosed the flaw to his Google and delayed the rollout until Google patched it. According to Masas, Google took him two tries to fix the bug, and Chrome 108 he finally fixed the flaw in late November.

The flaw was due to the way Chromium parsed symbolic links. Also known as a symbolic link, a file that specifies a path to a specified file or directory. “Browsers didn’t properly check if symbolic links were pointing to locations that weren’t accessible, which could lead to the theft of sensitive files,” Mathas wrote.

Chromium browsers usually have safety features to ensure that the user actually attempts to upload a file when another application accesses the API for file uploads, but this is not the case with symlink handling. It wasn’t.

A malicious person could take advantage of it by tricking a user into downloading a file containing a symbolic link that is a file path to sensitive data.

In the use case outlined by Masas, a crypto wallet service is controlled by a malicious actor who forces users to download recovery keys. Many cryptocurrency wallets require users to download a recovery key. As a result, files are stolen from the user’s system.

Mathas wrote about the possibility that this vulnerability could be used to steal cryptocurrencies. “These digital assets are so valuable that hackers are increasingly targeting individuals and organizations holding cryptocurrencies.” He added that the moral of the story is: Always keep your software up to date.

