Google Chrome security flaw could impact billions of users — update right now

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

If you haven’t updated your browser in a while you should do so immediately, as a new high-severity vulnerability has been discovered that affects Google Chrome and other Chromium-based browsers like Microsoft Edge.

The vulnerability, dubbed SymStealer and tracked as CVE-2022-3656 (opens in new tab), was first discovered by security researchers at Imperva and more than 2.5 billion users could be at risk of potential attacks if they aren’t running the latest version of Chrome.

If exploited, an attacker could use this vulnerability to steal sensitive files from a users’ computer including banking and crypto wallet credentials that could then be used to drain their accounts

Chrome’s popularity comes with a number of benefits like compatibility and frequent security audits but as the most widely used browser with a 65.52% market share according to a blog post (opens in new tab) from Imperva, it’s also a very attractive target for hackers and other cybercriminals.

SymStealer vulnerability

The vulnerability itself involves symlinks or symbolic links which are a type of file that points to another file or directory. Symlinks are often used for creating shortcuts, redirecting file paths or organizing files in a more flexible way. However, they can also introduce vulnerabilities.

Imperva’s researchers discovered an issue in Chrome where the browser did not properly check to see if symlinks were pointing to a location that wasn’t supposed to be accessible. This could allow an attacker to steal sensitive files from a victim’s machine.

In one attack scenario laid out by the firm, an attacker could create a fake website that offers a new crypto wallet service. This website could then trick a user into creating a new wallet by requesting they download their recovery keys.

While a user would think they were downloading their keys, the file itself would actually contain a symlink to a sensitive file or folder on their computer. After unzipping the file and uploading their recovery keys back to the fake website, the symlink would then be processed and the attacker would gain access to a sensitive file. 

Fortunately, Imperva’s researchers disclosed the vulnerability to Google and the search giant rolled out a fix in Chrome 107. However, this didn’t fully address the issue which is why a permanent fix was included with the release of Chrome 108

How to stay safe from browser-based attacks

Best antivirus software

(Image credit: Shutterstock)

If you’re using Chrome, Microsoft Edge, Brave, Vivaldi, Opera or any other Chromium-based browser, you should download and install the latest updates immediately to protect the sensitive files on your computer from being stolen. 

Although there haven’t been any instances of this security flaw being exploited in the wild, attackers could come up with exploits targeting users that are still running vulnerable versions of Chrome or other Chromium browsers.

Besides keeping your browser and other software up to date, you should also consider installing the best antivirus software to help keep you protected from malware and other cyber threats.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.