Team Imperva Red at the end of last year I discovered in a popular browser Google Chrome a vulnerability that is tracked under an identifier CVE-2022-3656 . At the time the vulnerability was active, it affected over 2.5 billion Chrome users and allowed attackers to steal sensitive files such as crypto wallets and cloud provider credentials.

The vulnerability was discovered while testing how the browser interacts with the file system, in particular looking for common vulnerabilities related to how browsers handle symbolic links. Symbolic links (symlink) are a type of file that points to another file or directory, allowing the operating system to treat the linked file or directory as if it were in the location of the symbolic link. This can be useful for creating shortcuts, redirecting file paths, or more flexible file organization.

However, symbolic links can also create vulnerabilities if they are not handled properly. In case of vulnerability CVE-2022-3656 the browser incorrectly checked if a symbolic link points to a location that is not intended to be accessed, allowing confidential files to be stolen.

An attacker can create a fake website offering, for example, a crypto wallet service. And in the process of creating a wallet, ask to download the so-called “recovery keys” to your computer. These keys will actually be a zip file containing a symbolic link to a confidential file or folder on the user’s computer, such as a cloud provider’s credentials. When the user unzips and uploads the recovery keys back to the website, the symbolic link will be processed and the attacker will have access to the desired confidential file. The user may not even realize that something is wrong, as the website may look quite legitimate, and the process of downloading and uploading recovery keys is a normal practice for cryptocurrency wallets.

Google has completely fixed the symbolic link vulnerability in Chrome version 108. To protect your crypto assets, it is important to keep your software up to date, avoid downloading questionable files or clicking on links from untrustworthy sources.