Vulnerability puts data of 2.5 billion Chrome users at risk

    Data of about 2.5 billion users have been put to risk because of a vulnerability in Google Chrome and chromium browsers. A security firm named Imperva Red has issued a warning that the flaw that has been technically dubbed as ‘CVE-2022-365’ allows hackers to steal information such as cloud based credentials and sensitive files from e-wallets.

    Imperva Red issued a blog update on this note and essayed that hackers could induce a ‘Symlink-Symbolic Link’ into the directory that allows the OS to treat it as a file linked to a location in directory, which is not in reality.

    Symlinks can lead to flaws when mis-handled and can allow the threat actors siphon data from browsers, an act not intended in actual.

    With Chrome, the susceptibility arises when the browser interacts with the symlink to process files and directories without checking for the authenticity of the location of the Symbolic link in a file or directory.

    How does this affect the users of Chrome, then?

    Researchers state the hacker can create a fake website that is into the business of crypto wallet and urge users to creating a new wallet via download of recovery keys. These keys can contain zip files loaded with Symlinks connected to sensitive files or folders from the computer. This, when a user unzips the file, the upload of keys back to the website can allow a threat actor to gain access to sensitive files, leading to privacy concerns.

    Google Chrome response

    In response to the alert provided by Imperva Red, the web service provider issued an update that the flaw was addressed in the latest release of Chrome 108 and is thus urging its users to keep their software updated with security covers to all discovered vulnerabilities, such as those arising from Soft links( symlinks).

    Ad
    Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!
    Naveen Goud
    Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

    No posts to display