The Chromium vulnerability (tracked CVE-2022-3656) discovered by Imperva security researchers in July 2022 and patched in September could still affect 2.5 billion users if they don't update their browsers.
The warning comes from Imperva's security researcher Ron Masas, who published a blog post about the flaw (commonly known as “SymStealer") on Wednesday.
In particular, the vulnerability allows for the theft of sensitive files, including crypto wallets and cloud provider credentials, by exploiting how browsers process symbolic links (symlinks).
"[Symlinks] can be useful for creating shortcuts, redirecting file paths, or organizing files in a more flexible way," Masas wrote.
"However, [they] can also introduce vulnerabilities if they are not handled properly. In the case of the vulnerability we disclosed to Google, the issue arose from the way the browser interacted with symlinks when processing files and directories."
In other words, due to the flaw, the browser did not correctly check if the symlink was directing users to a location that was not meant to be accessible, which, in turn, enabled the theft of sensitive files.
"This issue is commonly known as symbolic link following," explained Masas, who added the bug could be used by an attacker, for instance, to create a fake website that offers a new crypto wallet service.
After discovering the vulnerability, Imperva created a proof-of-concept on the Chromium bug tracker, showcasing how a related attack could occur in the wild.
"After disclosing the vulnerability to Google, the Imperva team found that the first fix, introduced in Chrome 107, did not fully address the issue," Masas revealed.
"The team notified Google of this, and the issue was fully resolved in Chrome 108. It is important to always keep your software up to date in order to protect against the latest vulnerabilities and ensure that your personal and financial information remains secure."
SymStealer is only the latest Chrome vulnerability discovered in recent months. In September 2022, developer Jeff Johnson found a flaw that would allow web pages to replace the content of the system clipboard without the user's consent or interaction.
More recently, Google patched a zero-day vulnerability (tracked CVE-2022-4135) that could potentially enable attackers to corrupt data and remotely execute code on a victim's machine.