Friday, May 24, 2024

SymStealer Vulnerability Let Attacker Steal Login Credentials from Google Chrome

The SymStealer vulnerability CVE-2022-3656, newly disclosed by the Imperva Red Team, affects over 2.5 billion users of Google Chrome and Chromium-based browsers. Reports say sensitive files, including cloud provider user credentials and crypto wallets, might have been stolen due to this flaw.

Chrome has a market share of 65.52%, making it the most popular browser. Chromium, the open-source variant of Chrome, is the foundation of two additional top-6 browsers, Edge and Opera, increasing Chromium’s market share to over 70%.

Details of SymStealer Vulnerability

The bug was given the name SymStealer by Imperva researchers. The problem arises when an attacker uses the File System to access unauthorized files and get around programme limitations.

Imperva’s analysis revealed that when a user drags and drops a folder directly onto a file input element, the browser recursively resolves all symlinks without displaying a warning.

“During our testing, we found that when you drop a file or folder onto a file input, it’s handled differently. Symbolic links are processed, recursively resolved, and there’s no extra warning or confirmation for the user”, Imperva Red Team.

A file type that points to another file or directory is called a “symlink” often known as a symbolic link. By doing this, the operating system is able to handle the linked file or directory as if it were actually there where the symlink is. 

Shortcuts, rerouting file paths, and more flexible file organization can all be accomplished using this.

Requesting that the user download their “recovery” keys could lead to the website tricking the user into creating a new wallet.

In reality, these keys would be a zip file with a symlink to a sensitive file or folder on the user’s computer, like cloud provider credentials. 

The symlink would be activated and the attacker would have access to the sensitive file after the victim unzips and uploads the “recovery” keys back to the website. 

The website may be made to look authentic, and the process of obtaining and uploading the “recovery” keys could seem regular, so the user could not even be aware that anything is wrong.

To access their accounts, customers of many online services, including crypto wallets, must download “recovery” keys.

“The attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys. When the user unzips and uploads the file, the symlink would be processed, allowing the attacker to gain access to sensitive files on the user’s computer”, explains the researchers.

The size of the file input element was modified by Imperva researchers using CSS so that the file uploads regardless of where the folder is dropped on the page.

Final Word

Hackers frequently utilize software flaws, like the one recently publicly disclosed, to get access to cryptocurrency wallets and steal the money they contain.

It’s crucial to keep your software updated and to stop downloading files or clicking on links from unauthorized sources if you want to secure your cryptocurrency assets. 

A hardware wallet is another smart choice for storing your cryptocurrency because it is not connected to the internet, making it less susceptible to hacking attacks.

To create secure, unique passwords for your crypto accounts, researchers recommend using a password manager and also turning on two-factor authentication is essential.

Network Security Checklist – Download Free E-Book


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles