CyberWire Daily - Files stolen from a sneaky SymStealer. [Research Saturday]
Episode Date: March 11, 2023Ron Masas of Imperva discusses their work, the "Google Chrome “SymStealer” Vulnerability. How to Protect Your Files from Being Stolen." By reviewing the ways the browser handles file systems, s...pecifically searching for common vulnerabilities relating to how browsers process symlinks, the Imperva Red Team discovered that when files are dropped onto a file input, it’s handled differently. Dubbing it as CVE-2022-40764, researchers found a vulnerability that "allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials." In result, over 2.5 billion users of Google Chrome and Chromium-based browsers were affected. The research can be found here: Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
And this specific research was targeted to the Chromium browser,
which is the open source version of Chrome,
which is also the foundation for many of the popular browsers that are used today.
That's Ron Massas. He's a lead vulnerability researcher at Imperva.
The research we're discussing today
is titled Google Chrome SIM Stealer Vulnerability, How to Protect Your Files from Being Stolen.
And yeah, we just wanted to really map out all the ways that the browser can interact with the user file system
and explore these mechanisms to better understand how they handle symbolic links.
So at the root of the issue here, as you mentioned, is this notion of symlinks, symbolic links.
Can you describe to us, for folks who may not be familiar with that,
what are we talking about here?
Sure. So a symbolic link is essentially a type of file
that is a reference to another file or a directory.
And they're usually used for bookmarks or shortcuts,
but they could have very bad security consequences
if they're not handled correctly.
And so how is Chrome and Chromium set up to handle them?
So usually the right way to handle them is to ignore them.
And when we looked at the Chromium and Chrome browser,
they usually do just that.
So if you ask any developer,
what's the way that you can interact with the user file system?
There are typically three ways.
So there is the HTML input with the type equals file,
which is the most basic way to upload files from the user.
We have the drop event.
So this is where the user drop a file to the screen
or folder. And we have the new JavaScript API, the file system access API, which is just a new
way to do it with JavaScript. And all those APIs handle symbolic links correctly. So they usually
ignore them. And so what was the issue here? So while I was testing this and I set up my testing environment
so that I have all those integrations working,
I accidentally dropped a file onto the HTML file input.
HTML file input.
So,
apparently, when you drop a file onto the
HTML file input,
there is a completely separate code
that handles this case.
And this
code doesn't account for
simulings. It actually
recursively
resolves them.
Well, then let's walk through the implications of that.
In your research here, you all lay out a possible attack scenario.
Can you share that with us?
So we came up with a few attack scenarios.
It's also, I think, important to note that there are other security mechanisms
for when you upload files, so a large amount of files.
So, for example, if you try to upload a folder
that contains, let's say, 100 files,
the browser will typically show you a pop-up message
saying, are you sure you want to upload this amount of files?
So I just wanted to highlight that this file
also bypasses all of those security mechanisms.
Oh, interesting.
So back to the explanation on the attack scenario itself.
The way it goes is like this.
Because we found a way to recursively resolve symbolic links,
this means that if we get a user to upload to our website
a folder that contains symbolic links,
the symbolic links could be even inside of hidden folders,
we will be able to access any file on the operating system.
So the attack scenario was,
we took the example of a crypto wallet generator.
So if you ever created a crypto wallet,
you typically get like the seed phrase.
This is used to recover your wallet
in case you lost your keys.
And the way we wanted to exploit this
is by downloading a zip file
that contained these recovery keys
and ask the user to upload it back to prove that they have the recovery keys.
And this sounds okay because you just downloaded these files from the Internet,
so what harm can be done by uploading them back, right?
Right.
But if you do that, you actually upload the symbolic links
that point to your private keys, your cloud credentials or other sensitive files.
And now a message from our sponsor, Zscaler, the leader in cloud security.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
In this scenario, would you be linking to files that you presume are on the person's system?
Yeah, and because the symbolic link is getting resolved recursively,
you can just link to a different directory.
So you can do like.. slash and actually get access to all the files
that are before the downloads folder, for example.
Wow. So you all reached out to Google about this and they were responsive.
Yeah. So we reported the vulnerability to Google. We showed the proof of concept,
we explained the issue and they fixed it.
But it did take a couple rounds to get it completely resolved.
Yeah, after the first fix, we took a look and we noticed that in some cases,
if the symbolic link is not relative, then the issue can still be exploited.
So we reported it back to them and they handled it in the next version.
I think this research here really speaks to
the fascinating reality that it seems to me
that in this case, you were doing some work and you just sort of
stumbled across this. You accidentally triggered a behavior
unintentionally that
led you down this path.
Yeah, definitely.
I think that
in the end, we will get to it
because we were also looking at
the source code and trying to figure out
what are all the ways that the browser interacts
with the file system. But definitely,
trying out the APIs
helped to speed this process up and find this.
But yeah. Was it surprising to you that
it was a different
code behind dragging and dropping something rather than the other ways to access
files? Yeah, it was really surprising, but the
Chromium source code is huge, and there are so many
components and different things, so it makes sense
that as they add more things, the code just
accumulates, and it opens up the possibility
for such vulnerabilities. So what are your recommendations
here for folks to best protect themselves?
Yeah, so I think the best recommendation
is keep your system up to date.
But also if we look at this case specifically,
I would say be wary of websites
or people asking you to do things
that you wouldn't normally do.
So in this example,
downloading something and uploading it back,
even if it sounds safe, you might be able to notice that there is something weird going on
and should avoid it.
That's Ron Massas from Imperva.
The research is titled Google Chrome SIM Stealer Vulnerability.
How to protect your files from being stolen.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Thank you. Thanks for listening.