The Imperva Red Team recently disclosed a vulnerability, dubbed CVE-2022-3656, affecting over 2.5 billion users of Google Chrome and Chromium-based browsers. This vulnerability allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials.
Chrome is the most widely used browser, with a 65.52% market share. Two other top 6 browsers, Opera and Edge, are based on Chromium, the open-source version of Chrome, bringing Chromium’s market share to over 70%.
The popularity of Chromium has many benefits, such as compatibility and security audits. However, it also increases the likelihood of cross-browser vulnerabilities. In this case, the vulnerability was discovered through a review of the ways the browser interacts with the file system, specifically looking for common vulnerabilities related to the way browsers process symlinks.
What’s a symlink?
A symlink, also known as a symbolic link, is a type of file that points to another file or directory. It allows the operating system to treat the linked file or directory as if it were at the symlink’s location. This can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way.
However, symlinks can also introduce vulnerabilities if they are not handled properly. In the case of the vulnerability we disclosed to Google, the issue arose from the way the browser interacted with symlinks when processing files and directories. Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files. This issue is commonly known as symbolic link following.
Finding the bug
We looked into how Chrome and other Chromium-based browsers handle file systems. When we checked out the APIs that developers often use for file uploads, like the Drop Event, File Input, or File System Access API, we noticed that they usually don’t deal with symbolic links. They even have extra safety measures, like asking for extra confirmation from the user if they try to upload lots of files at once. However, during our testing, we found that when you drop a file or folder onto a file input, it’s handled differently. Symbolic links are processed, recursively resolved, and there’s no extra warning or confirmation for the user.
An attacker could create a fake website that offers a new crypto wallet service.
The website could trick the user into creating a new wallet by requesting that they download their “recovery” keys.
These keys would actually be a zip file containing a symlink to a sensitive file or folder on the user’s computer, such as a cloud provider credential. When the user unzips and uploads the “recovery” keys back to the website, the symlink would be processed and the attacker would gain access to the sensitive file. The user may not even realize that anything is amiss, as the website could be designed to look legitimate and the process of downloading and uploading the “recovery” keys could appear normal. This scenario demonstrates the potential impact of the symbolic link following vulnerability on Chrome and Chromium-based browsers.
Many crypto wallets and other online services require users to download “recovery” keys in order to access their accounts. These keys serve as a backup in case the user loses access to their account for any reason, such as forgetting their password. It is common for users to download these keys and then upload them back to the website in order to verify their ownership of the account.
In the attack scenario described above, the attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys. When the user unzips and uploads the file, the symlink would be processed, allowing the attacker to gain access to sensitive files on the user’s computer.
To demonstrate the potential impact of this vulnerability, we created a proof-of-concept attack that uses CSS to manipulate the file input element in the Chrome or Chromium-based browser. By making the file input element larger, we were able to ensure that any file dropped onto the page would be uploaded, regardless of where it was dropped. This allowed us to exploit the symbolic link following vulnerability, and steal files from the user’s file system.
We used this proof-of-concept attack to create a realistic scenario where an attacker could trick a user into visiting a malicious website, and then steal sensitive files by exploiting the symbolic link following vulnerability in Chrome. This shows the potential consequences of this vulnerability.
You can check out our proof-of-concept for the “SymStealer” vulnerability and try it out by visiting our original bug report on the Chromium bug tracker. The full source code is also available there.
Hackers are after your crypto
Hackers are increasingly targeting individuals and organizations holding cryptocurrencies, as these digital assets can be highly valuable. One common tactic used by hackers is to exploit vulnerabilities in software, such as this recently disclosed vulnerability, in order to gain access to crypto wallets and steal the funds they contain.
To protect your crypto assets, it is important to keep your software up to date and avoid downloading files or clicking on links from untrusted sources. It is also a good idea to use a hardware wallet to store your cryptocurrencies, as these devices are not connected to the internet and are therefore less vulnerable to hacking attempts. Additionally, consider using a password manager to generate strong, unique passwords for your crypto accounts, and enable two-factor authentication whenever possible. By taking these precautions, you can reduce the risk of your crypto being stolen by hackers.
After disclosing the vulnerability to Google, the Imperva team found that the first fix, introduced in Chrome 107, did not fully address the issue. The team notified Google of this, and the issue was fully resolved in Chrome 108. It is important to always keep your software up to date in order to protect against the latest vulnerabilities and ensure that your personal and financial information remains secure.
We would like to thank Google for their response to this issue and for their cooperation in addressing it. It was a privilege to work with the Google team and help make Chrome a safer and more secure browser for all users. We take pride in our ability to identify and disclose vulnerabilities, and we are committed to working with software vendors to ensure that the products we all rely on are as secure as possible.
Try Imperva for Free
Protect your business for 30 days on Imperva.