Patched Chromium Vulnerability Allowed File TheftBug Exploited Symbolic Links to Find a File Path to Sensitive Data
A high-severity vulnerability patched by Google Chrome a few months ago allowed hackers to steal sensitive files such as crypto wallets.
Vulnerabilities in the Chromium web browser project affect billions of individuals across the globe because Chromium is the basis for Google's dominant web browser Chrome and underpins the Microsoft Edge and Opera browsers. Taken together, Chromium technology amounts to more than 70% of global web browser share, says cybersecurity firm Imperva in a blog post detailing the bug, which is tracked as CVE-2022-3656.
Imperva researcher Ron Masas says he found the flaw while studying how Chromium browsers handle file systems. The company disclosed the flaw to Google and held off on public disclosure until after Google had patched it. Masas says Google needed two tries to fix the bug, and Chrome 108 finally fixed the flaw in late November.
The flaw stemmed from how Chromium parsed symbolic links. Also known as symlinks, they are files that specify a path to a specified file or directory. "The browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files," Masas wrote.
Chromium browsers typically have safety features ensuring that users actually intend to upload files when other applications access the API for file upload, but that wasn't the case for symlink processing.
Bad actors could take advantage of that by having users download a file containing a symlink that is a file path to sensitive data.
In a use case outlined by Masas, a crypto wallet service is controlled by malicious actors who have users download their recovery keys. That scenario isn't far-fetched: Many crypto wallets require users to download recovery keys. The result would be stolen files from the users' systems.
Masas writes about the potential for the flaw to be used to steal cryptocurrency because "hackers are increasingly targeting individuals and organizations holding cryptocurrencies, as these digital assets can be highly valuable." The moral of the story, he added, is: Always keep software up to date.