In recent years, there has been an increase in attacks involving the use of symbolic links, also known as “symlinks,” to steal sensitive information like cryptocurrency wallets. These attacks can be difficult to detect, as victims never experience any warning or confirmation messages or even realize that anything is amiss. Everything happens under the radar without the knowledge of the victim. We are going to discuss one such recently patched vulnerability in Chromium-based browsers. The flaw, which is tracked under the identifier CVE-2022-3656, is a SymStealer Vulnerability in the Google Chrome browser that allows attackers to covertly steal confidential information from the victim’s computer without leaving any traces behind. Let’s see some of the technical details and how to patch CVE-2022-3656 in this post.
A Short Note About Chromium
Chromium is an open-source web browser project developed by Google. It forms the basis for several popular web browsers, including Google Chrome, Microsoft Edge, Brave, and Opera. These browsers offer users a fast and secure browsing experience with features like built-in ad blockers, password managers, built-in search engine support, and access to the expansive and ever-growing library of Chrome extensions.
According to Statista, Google Chrome dominates the market with a share of around 60-70%, followed by Safari with around 15-20% market share being the default browser for Apple devices. Firefox and Microsoft Edge are next in line with around 5-10% market share each. Other browsers like Opera and Brave make up a small fraction of the market share.
These numbers clearly say that more than half of the global internet users are prone to the CVE-2022-3656 vulnerability. We urge all chrome users to patch the SymStealer Vulnerability in Google Chrome.
Why are Symlink Vulnerabilities Considered more Dangerous then Any Other?
- Such attacks are considered dangerous as they are never caught by any of the sophisticated security systems since there is little to no involvement of malware services.
- Difficult to detect, as victims never experience any sort of warning or confirmation messages or even realize that anything is amiss.
- These attacks can allow attackers to gain unauthorized access to sensitive information or perform unauthorized actions on a system. This can be done by creating a symlink that points to a legitimate file or directory but directs any access or changes to a location controlled by the attacker.
- In the context of Cryptocurrency wallets, an attacker can create a symlink that points to the legitimate wallet but directs any transactions or access to a wallet controlled by the attacker. This can allow the attacker to steal the funds from a legitimate wallet.
Therefore, it is important for organizations and individuals to be aware of the risks associated with symlink vulnerabilities and to take steps to protect themselves from these types of attacks.
What is A Symlink or Symbolic Link?
A symlink or symbolic link is a special type of file that points to another file or directory on the same computer or network. It serves as an alias for the target, allowing it to be accessed using different paths. In other words, a symbolic link behaves similarly to a shortcut in Windows, allowing users to get easy access to files and directories. Unlike a regular file or directory, however, the actual content of a symbolic link is not stored on the system—it just contains a reference to the target file or folder.
Symbolic links are often used to create shortcuts to frequently used files or directories, to redirect access to a file that has been moved, or to make a file or directory accessible in multiple locations.
In a Unix-like operating system, the ln command can be used to create a symbolic link. For example, the command “ln -s /path/to/original/file /path/to/link” will create a symbolic link at the location “/path/to/link” that points to the file “/path/to/original/file”.
Symbolic links can be useful, but they can create security issues if they’re not managed properly, as they can be used to redirect access to a malicious file or to gain unauthorized access to sensitive information. The vulnerability covered in this post is one such example of improper use of Symbolic links.
Summary of CVE-2022-3656
According to a recent study conducted by Ron Masas, a security researcher from Imperva, Chrome and other Chromium-based browsers may be vulnerable to symbolic link attacks when handling file systems. In the study, Masas and his team examined the APIs commonly used for file uploads, such as the Drop Event, File Input, or File System Access API, and found that these browsers typically do not adequately address the handling of symbolic links. Despite the presence of safety measures, such as prompting for additional confirmation from the user when uploading large numbers of files, Ron Masas and his team discovered that when a file or folder is dropped onto a file input, it is handled differently. Specifically, symbolic links are processed and recursively resolved without any additional warning or confirmation for the user.
the issue arose from the way the browser interacted with symlinks when processing files and directories. Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files.
– Ron Masas
Attackers could exploit this vulnerability when the victim uploads the file that contains a symlink to a sensitive file or folder on the victim’s computer to the attacker’s website. The attacker will do this by tricking the victim into visiting a malicious website and make him download a file that contains a symlink to a sensitive file or folder on the victim’s computer.
Security researchers demonstrated how an attacker could exploit this flaw with the help of a Video. In that video, the researcher mimics both an attacker and a victim. An attacker created a malicious website, ‘localhost,’ that offers a new crypto wallet service. The victim browses the website to create a new wallet by downloading his “recovery” keys, which are actually a zip file containing a symlink to a sensitive file or folder on the victim’s computer, such as a cloud provider credential. When the victim unzips and uploads the “recovery” keys back to the website, the symlink will be processed, and the attacker will gain access to the sensitive file, while the victim may not even realize that anything is amiss.
How to Patch CVE-2022-3656- A SymStealer Vulnerability in Google Chrome?
This vulnerability is present in all the versions of Chrome and Chromium-based browsers less than v108. Google recommends Chrome users update their Chrome to the fixed version to avoid any consequences.
The updated version released by Google is Chrome 108.0.5359.94/.95. Chrome users are advised to install the security update immediately on whatever OS they use, including Windows, Mac, and Linux. Mac and Linux users are required to update version 108.0.5359.94, and Windows users are required to update 108.0.5359.94/.95.
How to Upgrade Chrome Browser?
Chrome browser normally runs updates in the background when you close and then reopen your browser. However, if you haven’t done this for a while, a pending update might be available in a colored icon.
There are several ways to upgrade Chrome Browser:
- Open Chrome Browser on your computer and click on the three dots in the top-right corner. Select “Help” and then “About Google Chrome.” This will check for updates and automatically download and install the latest version of Chrome.
- If you are running an older version of Chrome, you can download the latest version from the official Google Chrome website. Once downloaded, open the installer and follow the instructions to upgrade your browser.
- If you are using Chrome on a mobile device, you can update it from the App Store (iOS) or Google Play Store (Android). Open the App Store or Play Store, search for Google Chrome and select the update button.
- You can also use Chrome’s enterprise updating features if you are managing a chrome browser in an enterprise environment.
It’s important to keep your browser up to date to take advantage of the latest features and security updates.
As general tips to lower the attack surface, keep your software up-to-date, patch all the vulnerabilities as much as you can, use password manager services to store passwords, use security solutions for malware protection, and use hardware valet o store your cryptocurrencies.