Tuesday, May 20, 2025
HomeCyber security CourseSymStealer Vulnerability Let Attacker Steal Login Credentials from Google Chrome

SymStealer Vulnerability Let Attacker Steal Login Credentials from Google Chrome

Published on

SIEM as a Service

Follow Us on Google News

The SymStealer vulnerability CVE-2022-3656, newly disclosed by the Imperva Red Team, affects over 2.5 billion users of Google Chrome and Chromium-based browsers. Reports say sensitive files, including cloud provider user credentials and crypto wallets, might have been stolen due to this flaw.

Chrome has a market share of 65.52%, making it the most popular browser. Chromium, the open-source variant of Chrome, is the foundation of two additional top-6 browsers, Edge and Opera, increasing Chromium’s market share to over 70%.

Details of SymStealer Vulnerability

The bug was given the name SymStealer by Imperva researchers. The problem arises when an attacker uses the File System to access unauthorized files and get around programme limitations.

- Advertisement - Google News

Imperva’s analysis revealed that when a user drags and drops a folder directly onto a file input element, the browser recursively resolves all symlinks without displaying a warning.

“During our testing, we found that when you drop a file or folder onto a file input, it’s handled differently. Symbolic links are processed, recursively resolved, and there’s no extra warning or confirmation for the user”, Imperva Red Team.

A file type that points to another file or directory is called a “symlink” often known as a symbolic link. By doing this, the operating system is able to handle the linked file or directory as if it were actually there where the symlink is. 

Shortcuts, rerouting file paths, and more flexible file organization can all be accomplished using this.

Requesting that the user download their “recovery” keys could lead to the website tricking the user into creating a new wallet.

In reality, these keys would be a zip file with a symlink to a sensitive file or folder on the user’s computer, like cloud provider credentials. 

The symlink would be activated and the attacker would have access to the sensitive file after the victim unzips and uploads the “recovery” keys back to the website. 

The website may be made to look authentic, and the process of obtaining and uploading the “recovery” keys could seem regular, so the user could not even be aware that anything is wrong.

To access their accounts, customers of many online services, including crypto wallets, must download “recovery” keys.

“The attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys. When the user unzips and uploads the file, the symlink would be processed, allowing the attacker to gain access to sensitive files on the user’s computer”, explains the researchers.

The size of the file input element was modified by Imperva researchers using CSS so that the file uploads regardless of where the folder is dropped on the page.

Final Word

Hackers frequently utilize software flaws, like the one recently publicly disclosed, to get access to cryptocurrency wallets and steal the money they contain.

It’s crucial to keep your software updated and to stop downloading files or clicking on links from unauthorized sources if you want to secure your cryptocurrency assets. 

A hardware wallet is another smart choice for storing your cryptocurrency because it is not connected to the internet, making it less susceptible to hacking attacks.

To create secure, unique passwords for your crypto accounts, researchers recommend using a password manager and also turning on two-factor authentication is essential.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Auth0-PHP Vulnerability Enables Unauthorized Access for Attackers

Critical security vulnerability has been discovered in the Auth0-PHP SDK that could potentially allow...

Active Exploitation of Ivanti EPMM Zero-Day Vulnerability in the Wild

Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...