Security News > 2023 > January > Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk

Details have emerged about a now-patched vulnerability in Google Chrome and Chromium-based browsers that, if successfully exploited, could have made it possible to siphon files containing confidential data.

"The issue arose from the way the browser interacted with symlinks when processing files and directories," Imperva researcher Ron Masas said.

"Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files."

Google characterized the medium-severity issue as a case of insufficient data validation in File System, releasing fixes for it in versions 107 and 108 released in October and November 2022.

Imperva's analysis of Chrome's file handling mechanism found that when a user directly dragged and dropped a folder onto a file input element, the browser resolved all the symlinks recursively without presenting any warning.

In a hypothetical attack, a threat actor could trick a victim into visiting a bogus website and downloading a ZIP archive file containing a symlink to a valuable file or folder on the computer, such as wallet keys and credentials.

News URL

https://thehackernews.com/2023/01/experts-detail-chromium-browser.html