• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
experts detail chromium browser security flaw putting confidential data at

Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk

You are here: Home / General Cyber Security News / Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk
January 12, 2023

Specifics have emerged about a now-patched vulnerability in Google Chrome and Chromium-dependent browsers that, if productively exploited, could have made it attainable to siphon files made up of private knowledge.

“The issue arose from the way the browser interacted with symlinks when processing information and directories,” Imperva researcher Ron Masas claimed. “Especially, the browser did not correctly look at if the symlink was pointing to a spot that was not meant to be obtainable, which authorized for the theft of delicate files.”

Google characterised the medium-severity issue (CVE-2022-3656) as a case of insufficient knowledge validation in File Process, releasing fixes for it in variations 107 and 108 unveiled in Oct and November 2022.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Dubbed SymStealer, the vulnerability, at its core, relates to a type of weakness acknowledged as symbolic hyperlink (aka symlink) subsequent, which occurs when an attacker abuses the feature to bypass the file process constraints of a program to run on unauthorized files.

Imperva’s assessment of Chrome’s file managing mechanism (and by extension Chromium) identified that when a person immediately dragged and dropped a folder onto a file enter ingredient, the browser solved all the symlinks recursively devoid of presenting any warning.

In a hypothetical attack, a threat actor could trick a target into traveling to a bogus web page and downloading a ZIP archive file containing a symlink to a precious file or folder on the pc, these as wallet keys and credentials.

When the exact same symlink file is uploaded back to the web-site as aspect of the infection chain – e.g., a crypto wallet service that prompts consumers to upload their restoration keys – the vulnerability could be exploited to obtain the actual file storing the vital phrase by traversing the symbolic connection.

To make it even much more reputable, a evidence-of-notion (PoC) devised by Imperva employs CSS trickery to change the measurement of the file enter factor these kinds of that the file add is activated irrespective of the place the folder is dropped on the web page, efficiently letting for information and facts theft.

“Hackers are more and more focusing on folks and organizations holding cryptocurrencies, as these electronic property can be remarkably beneficial,” Masas said. “1 common tactic employed by hackers is to exploit vulnerabilities in computer software […] in buy to gain entry to crypto wallets and steal the money they comprise.”

Observed this posting attention-grabbing? Abide by us on Twitter  and LinkedIn to read through more unique information we article.


Some parts of this report are sourced from:
thehackernews.com

Previous Post: «patch where it hurts: effective vulnerability management in 2023 Patch where it Hurts: Effective Vulnerability Management in 2023
Next Post: Royal Mail Halts International Deliveries After Cyber-Incident Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar
  • Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
  • Post-Quantum Cryptography: Finally Real in Consumer Apps?
  • Microsoft’s AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites
  • Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server
  • Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts
  • GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
  • China’s BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
  • The Dark Side of Browser Isolation – and the Next Generation Browser Security Technologies
  • China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies

Copyright © TheCyberSecurity.News, All Rights Reserved.