Imperva, a leader in the digital security space, has revealed a new vulnerability dubbed CVE-2022-40764. Discovered by Imperva’s Threat Research Team, it has been found to affect more than 2.5 billion users of Google Chrome and Chromium-based browsers.
The vulnerability is based on the way these browsers process symbolic links, or symlinks. Normally used to point to another file or directory, these links are useful for creating shortcuts or re-organising files. However, they usually come with warnings that a user might be linking to sensitive data. In the new vulnerability, attackers can avoid creating these warnings: meaning attackers can use symlinks to directly access users’ sensitive files, e.g. by offering fake ‘recovery’ keys.
This approach could be used to access anything from crypto wallets to cloud provider credentials. Given that between them Chrome and Chromium-based browsers account for more than 70% of market share, the potential consequences of this vulnerability could be huge. Fortunately, Imperva has reported the vulnerability to Google and it was resolved in Chrome 108. However, this means that updating Chrome is essential if individuals and organisations want to avoid falling victim to these symlink attacks.