Chromium Vulnerability (tracked CVE-2022-3656) discovered by Imperva If security researchers update in July 2022, patch in September, and don’t update their browsers, it could affect 2.5 billion users.
This warning comes from Imperva security researcher Ron Masas. blog post About this vulnerability (aka “SymStealer”) on Wednesday
Among other things, this vulnerability allows exploiting the way browsers handle symbolic links (symlinks) to steal sensitive files such as crypto wallets and cloud provider credentials.
“[Symlinks] It helps you create shortcuts, redirect file paths, and organize files in a more flexible way,” Masas wrote.
“but, [they] It can also introduce vulnerabilities if not handled properly. In the case of the vulnerability disclosed to Google, the problem arose from the way browsers interacted with symbolic links when processing files and directories. “
In other words, this flaw allowed the theft of sensitive files by causing browsers to fail to properly check if a symbolic link would lead the user to an inaccessible location.
“This issue is commonly known as symbolic link chasing,” explained Mathas, explaining that, for example, attackers could use the bug to create fake websites offering new cryptocurrency wallet services. added that it could.
After discovering the vulnerability, Imperva Chromium bug trackerwhich shows how the associated attack occurs in practice.
“After disclosing the vulnerability to Google, the Imperva team realized that the initial fix introduced in Chrome 107 did not fully resolve the issue,” Massas revealed.
“The team notified Google of this and the issue has been fully resolved in Chrome 108. Always keep your software up to date to protect against the latest vulnerabilities and to keep your personal and financial information safe. that is important.”
SymStealer is just the latest Chrome vulnerability discovered in recent months. In September 2022, developer Jeff Johnson changed his web page to Replace the contents of the system clipboard without user consent or interaction.
Recently, Google Patch zero-day vulnerabilities (Tracking CVE-2022-4135) This could allow an attacker to corrupt data and remotely execute code on the victim’s machine.
