A new high severity vulnerability affecting Chromium-based browsers such as Google Chrome and Microsoft Edge has been discovered.

Named SymStealer and tracked as CVE-2022-3656 (open in new tab), the vulnerability was first discovered by security researchers at Imperva, when over 2.5 billion users are not using the latest version of Chrome, they could be at risk of a potential attack.

If exploited, an attacker could use this vulnerability to steal sensitive files containing banking and crypto wallet credentials from a user's computer and exfiltrate their account.

Chrome's popularity has many advantages, including compatibility and frequent security audits, but as the most widely used browser with a 65.52% market share, according to Imperva's blog post (opens in new tab), it is also a very It is also an attractive target for hackers and other cybercriminals.

The vulnerability itself concerns symbolic links or a type of file that points to another file or directory. Symbolic links are often used to create shortcuts, redirect file paths, or organize files in a more flexible way. However, they can also introduce vulnerabilities.

Imperva researchers discovered an issue in Chrome where the browser does not properly check whether a symbolic link points to a location that should be inaccessible. This allows attackers to steal sensitive files from the victim's machine.

In one of the attack scenarios presented by the company, an attacker could create a fake website offering a new crypto wallet service. This website could trick the user into creating a new wallet by requesting a recovery key download.

Even though the user thinks he or she is downloading a key, the file itself actually contains a symbolic link to a confidential file or folder on the computer. After unzipping the file and re-uploading the recovered key to a fake website, the symbolic link is processed and the attacker is able to access the sensitive file.

Fortunately, Imperva researchers disclosed the vulnerability to Google, and the search giant deployed a fix in Chrome 107. However, this did not fully address the issue, and a permanent fix was included in the release of Chrome 108.

If you are using Chrome, Microsoft Edge, Brave, Vivaldi, Opera, or any other Chromium-based browser, you should immediately download and install the latest update to protect sensitive files on your computer from theft.

This security is not available on the Internet.

While there have not yet been any instances of this security flaw being exploited, attackers could come up with exploits targeting users with vulnerable versions of Chrome or other Chromium browsers.

In addition to keeping your browser and other software up-to-date, you should also consider installing the best antivirus software to protect yourself from malware and other cyber threats.