When a security vulnerability is discovered in any popular application or service, it has the potential to put many internet users at risk. This is particularly true when a single browser enjoys significant market dominance—and the popularity of Chromium, used by nearly two-thirds (65.74%) of internet browsers, dramatically increases the likelihood of a vulnerability impacting a large number of users.
The Imperva Red Team discovered a vulnerability in Google Chrome and Chromium-based browsers that threatened a staggering 2.5 billion users—and could have led to the theft of sensitive files, including crypto wallets or cloud provider credentials. Understanding how this vulnerability works and recognizing the risks associated with incorrectly processed symlinks can help the 20% of Americans that hold cryptocurrency safeguard their investments and confidential data, as well as identify potentially malicious behavior.
Vulnerable Symlinks Capable of Providing Crypto Keys
The CVE-2022-3656 vulnerability, dubbed “SymStealer,” was discovered during a review of how Chrome and other Chromium-based browsers, such as Microsoft Edge and Mozilla FireFox, interact with file systems and directories. In particular, the researcher focused on how the browser processes symlinks.
A symlink (short for “symbolic link”) is a type of file that links to another file or directory, allowing the operating system to treat the secondary asset as if it lived at the symlink’s location. Symlinks are frequently used when redirecting file paths, creating shortcuts, or organizing files, making them critical to browser operability. The problem arises when they are not effectively managed or verified.In the case of CVE-2022-3656, the browser did not adequately confirm whether the symlink was directed to a location that was actually intended to be accessible. This has the potential to allow threat actors to access prohibited files and steal sensitive data. This practice is referred to as symbolic link following. When inspecting the APIs commonly used for file uploads, it was discovered that, under certain circumstances, the browser incorrectly processed symbolic links, recursively resolving them without any additional warning or confirmation for the user. Normally, these APIs have extra safety measures in place, such as asking for additional confirmation if a user attempts to upload a significant number of files at once.
In practice, this incorrect processing presented another attack vector for threat actors to exploit. For instance, crypto wallets and other online services often require users who lose access to their account to download “recovery” keys which can then be uploaded to the website as a form of authentication. A threat actor could take advantage of this by creating a false crypto wallet website and tricking an unsuspecting victim into creating a new wallet by asking them to download what appear to be basic recovery keys.
In reality, these keys would be a zip file containing a symlink to sensitive data on the user’s computer. When the file is unzipped and uploaded to the fake website, that symlink would be instantly processed, providing the threat actor with easy access to the sensitive information contained within the file—which they could then use to conduct an attack. In short, because Chromium-based browsers immediately process symlinks without any secondary authentication, users can be easily tricked into giving cybercriminals direct access to their most valuable information without realizing it. This makes vulnerabilities such as CVE-2022-3656 particularly concerning and dangerous.
When in Doubt, Skip the Download and Bolster Defenses
After disclosing the vulnerability to Google, a fix was issued in the Chrome 107 update. However, when retested, the researcher found that the vulnerability had not been fully addressed—in fact, it was not until the release of Chrome 108 that the issue was ultimately resolved. Google characterized CVE-2022-3656 as medium-severity and noted it as a case of insufficient data validation.
Despite this particular vulnerability being patched, the high value that digital assets like cryptocurrency have on the dark web means those who hold them remain targets for cybercriminal activity. Individuals and organizations holding cryptocurrencies must remain on high alert and should take necessary precautions to safeguard their credentials and prevent access to their digital assets.
Most critically, it’s important to maintain good digital hygiene. Keep software updated and avoid downloading files or clicking links from untrusted sources. Users should consider using hardware wallets not connected to the internet when storing cryptocurrency, as they are less vulnerable to hacking attempts. Additionally, protections like multifactor authentication (MFA) and password managers that can generate strong, unique passwords for crypto accounts should be used whenever possible in order to reduce the risk of theft from hackers.
Don’t Leave Your Digital Security to Chance
New vulnerabilities and attack vectors are constantly emerging in today’s increasingly digitized world, and both organizations and individuals must take the necessary steps to protect themselves and their assets. It is not enough to wait for a patch or trust currency exchanges to keep crypto holdings safe. Users need to remain vigilant, follow accepted best practices, and avoid putting themselves in a vulnerable position. The SymStealer vulnerability is a reminder that users must be proactive against suspicious cyber activity, especially when sensitive cryptocurrency or data is involved.
About the author: Ron Masas is the Lead Vulnerability Researcher at Imperva focusing on discovering security vulnerabilities in popular applications and services. His work enables Imperva customers and others to stay ahead of the threat landscape. Masas started his career as a software engineer at Contineo, CA Group, and Trafficpoint. He later transitioned into security and vulnerability research, working at Palo Alto Networks and Checkmarx.