Information security researchers have found a critical vulnerability in Chrome and other browsers based on the Chromium project, affecting some 2.5 billion users worldwide.
Imperva researchers said that the seriousness of the vulnerability lies in the fact that it allows hackers to steal sensitive files for users, including the contents of cryptocurrency wallets and login credentials.
According to the researchers, the way Chrome and browsers based on the open-source web browser project Chromium interact with so-called symbolic links in file systems suffers from a flaw.
The researchers explain that symlinks are files that point to another file or directory in operating systems, and they allow the system to treat the file or directory associated with the original files as if they were in the same location.
“These (symbolic links) can be useful for creating shortcuts, redirecting file paths, or organizing files more flexibly,” the researchers explain in a blog post on Imperva. However, if not handled properly, these files can turn into a vulnerability for hackers to exploit.
Describing a possible attack scenario, the researchers said a hacker could create a fake cryptocurrency wallet and a website that would ask users to download its recovery keys.
And if the victim downloads these files, they may be symbolic links to a sensitive file or folder on the user's computer, and because of the defect in the browser's handling of these files, it may lead to the theft of cryptocurrency wallets and credentials on the device.
And the worst part, according to the researchers, is that the victim will be completely oblivious to the fact that their sensitive data has been compromised, especially since many cryptocurrency wallets and other online services require users to download recovery keys to access their accounts.
"In the attack scenario described above, the attacker would capitalize on this common practice by providing the user with a zip file containing a symbolic link instead of the physical recovery keys," the researchers said.
The vulnerability is now being tracked under the ID (CVE-2022-3656), and Google has addressed it with version 108 of the Chrome browser, so users are advised to install the latest version of the browser and browsers based on the Chromium project, before downloading any recovery keys.