SymStealer Vulnerability Let Attacker Steal Login Credentials from Google Chrome

The SymStealer vulnerability CVE-2022-3656, newly disclosed by the Imperva Red Team, affects over 2.5 billion users of Google Chrome and Chromium-based browsers. Reports say sensitive files, including cloud provider user credentials and crypto wallets, might have been stolen due to this flaw.

Chrome has a market share of 65.52%, making it the most popular browser. Chromium, the open-source variant of Chrome, is the foundation of two additional top-6 browsers, Edge and Opera, increasing Chromium’s market share to over 70%.

Details of SymStealer Vulnerability

The bug was given the name SymStealer by Imperva researchers. The problem arises when an attacker uses the File System to access unauthorized files and get around programme limitations.

Imperva’s analysis revealed that when a user drags and drops a folder directly onto a file input element, the browser recursively resolves all symlinks without displaying a warning.

“During our testing, we found that when you drop a file or folder onto a file input, it’s handled differently. Symbolic links are processed, recursively resolved, and there’s no extra warning or confirmation for the user”, Imperva Red Team.

A file type that points to another file or directory is called a “symlink” often known as a symbolic link. By doing this, the operating system is able to handle the linked file or directory as if it were actually there where the symlink is. 

Shortcuts, rerouting file paths, and more flexible file organization can all be accomplished using this.

Requesting that the user download their “recovery” keys could lead to the website tricking the user into creating a new wallet.

In reality, these keys would be a zip file with a symlink to a sensitive file or folder on the user’s computer, like cloud provider credentials. 

The symlink would be activated and the attacker would have access to the sensitive file after the victim unzips and uploads the “recovery” keys back to the website. 

The website may be made to look authentic, and the process of obtaining and uploading the “recovery” keys could seem regular, so the user could not even be aware that anything is wrong.

To access their accounts, customers of many online services, including crypto wallets, must download “recovery” keys.

“The attacker would take advantage of this common practice by providing the user with a zip file containing a symlink instead of actual recovery keys. When the user unzips and uploads the file, the symlink would be processed, allowing the attacker to gain access to sensitive files on the user’s computer”, explains the researchers.

The size of the file input element was modified by Imperva researchers using CSS so that the file uploads regardless of where the folder is dropped on the page.

Final Word

Hackers frequently utilize software flaws, like the one recently publicly disclosed, to get access to cryptocurrency wallets and steal the money they contain.

It’s crucial to keep your software updated and to stop downloading files or clicking on links from unauthorized sources if you want to secure your cryptocurrency assets. 

A hardware wallet is another smart choice for storing your cryptocurrency because it is not connected to the internet, making it less susceptible to hacking attacks.

To create secure, unique passwords for your crypto accounts, researchers recommend using a password manager and also turning on two-factor authentication is essential.

Network Security Checklist – Download Free E-Book