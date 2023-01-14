Some details have recently emerged on a now corrected vulnerability in Google Chrome, or rather, on Chromium, the browser on which several other browsers are based (Brave, Opera, etc.) which, if successfully exploited, could have made possible a massive theft of sensitive data.

It is worth pointing out that “Chromium” is the name of the Google Open Source project from which other browsers are “born” (and there are many), consequently (but not certain, we specify immediately so as not to be alarmist) it could also affect browsers other than Google Chrome.

“The problem arose from how the browser interacted with the symbolic links when processing files and directories“, has stated Imperva researcher Ron Masas. “In particular, the browser did not correctly check if the symbolic link pointed to a location that should not be accessible, which allowed for file theft [e dati in generale] sensitive.”

What’s wrong with this Chromium bug?

Google declared the issue to be medium severity (CVE-2022-3656) as a case of insufficient data validation in the file system, releasing corrections in versions 107 and 108 released in October and November 2022.

Dubbed SymStealer, the vulnerability, at its core, refers to a type of vulnerability known as a symbolic link (also known as a link or SymLink in English), which occurs when an attacker abuses the function to circumvent the file system restrictions of a program to subsequently operate on files on which it should not be authorized.

The analysis of rages regarding this file handling mechanism Chrome (and by extension Chromium and the other browsers based on its source code) found that when a user directly dragged and dropped a folder onto a file input element, the browser resolved all symlinks recursively without presenting any warnings.

In a hypothetical attack, an unknown hacker could trick a victim into visiting a fake website and downloading a ZIP archive file that contains a symbolic link to a valuable file or folder on the computer, such as keys and login credentials. Wallet (such as Cryptocurrency Wallet).

When the same symlink file is uploaded back to the website as part of a malware infection series that launches, such as an Encrypted Wallet service that requires users to upload their own recovery keys, the vulnerability could be exploited to access the actual file that stores the key (password) by traversing the symlink.

To make it even more reliable, a proof of concept (PoC) devised by Imperva uses CSS deception (CSS trickery) to alter the size (meaning megabytes or gigabytes) of the file input element such that the file upload is triggered no matter where the folder is dropped on the page, effectively allowing for theft of information.

“Hackers are increasingly targeting individuals and organizations that hold cryptocurrencies, as these digital assets can be very valuable“said Masas. “A common tactic used by hackers is to exploit vulnerabilities in software […] to gain access to crypto wallets and steal the funds they contain.”

A little-known thing about some Chromium-based browsers

It should be noted that many Chromium-based browsers contain cryptocurrency wallets: two above all Brave and Opera; since Chromium is the technical basis of Google Chrome and other browsers, it is recommended (for those who can) to temporarily find alternative wallets, possibly on browsers not based on it.