CyberRisk Report and WAAP Security Leader, Imperva has just revealed a Google Chrome and chromium-based vulnerability called CVE-2022-3656. The vulnerability in question has reportedly impacted 2.5 billion users, as it enables theft of sensitive files (such as crypto wallets).
Upon reviewing the browser’s interaction with the file system, the vulnerability was discovered. To do so, common vulnerabilities concerning browsers’ symlinks processing was considered. A symlink was used to make the system vulnerable.
A symlink Is a type of file that points to another file or directory
A symlink allows the operating system to “treat the linked file or directory as if it were at the symlink’s location.” Sharing the vulnerability event details, Certik Alert tweeted:
#CertiKSkynetAlert 🚨
— CertiK Alert (@CertiKAlert) January 13, 2023
In this article, @Imperva reveal a Google Chrome and chromium based vulnerability named CVE-2022-3656.
The vulnerability has affected over 2.5M users and allows for theft of sensitive files including crypto wallets.
Read more 👇https://t.co/LroD6kWWYm
The vulnerability emanates from the manner in which the browser interacts with symlinks when processing files and directories. During this instance, the browser failed to verify if
The symlink was pointing to a location that was not supposed to be accessible.
So, the theft of sensitive files, in an event known as “symbolic link following,” took place.
Imperva checked the APIs commonly used by the developers for uploading files, such as the Drop Event, File Input, or File System Access API. Imperva found in its testing that upon dropping a file or folder in a file input, the system handled it in a different way.
Symbolic links are recursively resolved and processed, with no additional warning or confirmation given for the user. When an attack takes place in such a case, the culprit can direct the users to a fake crypto wallet service website. Users might unknowingly end up creating a fresh wallet by downloading “recovery keys” in a zip file with a symlink to their file or folder.
When the user unzips and uploads the “recovery” keys back to the website, the symlink would be processed and the attacker would gain access to the sensitive file. Imperva advises users to keep their software updated and not click links or download files from fishy sources. It is also wise to use a hardware wallet to store crypto, suggests Imperva. The vulnerability has reportedly since been resolved completely with the Chrome 108 update.