UPDATED 23:55 EST / MAY 16 2017

INFRA

Serious vulnerability in Google Chrome on Windows could expose user credentials

A serious vulnerability in the Windows version of Google’s Chrome web browser has been discovered that could allow hackers to steal user credentials.

Spotted by Bosko Stankovic, an information security engineer at DefenseCode LLC, the vulnerability in the default configuration of the latest version of Chrome allows malicious websites to trick users into downloading a .scf (Shell Command File format) file without prompting the user as it would typically do with other types of downloads. By bypassing this option, the malicious .scf file lies dormant in the downloads directory until a victim opens the directory, at which point the file automatically runs without the user having to click on it.

Once up and running, the file allows the attacker to gain access to a victim’s username and Microsoft LAN Manager password hash. That leaves the victim open to attacks, including a so-called Server Message Block relay attack that allows the hacker to use the credentials to authenticate to a personal computer or network resource.

The password angle is where the method of attack gets more interesting. Stankovic found that although the password itself would need external brute-force cracking, a number of Microsoft services will accept the password in its hashed form for authentication, meaning that decryption isn’t necessary. Services that could potentially be accessed include OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and others.

If that isn’t bad enough, Stankovic claims, no antivirus software tested managed to flag the flag the file as being anything suspicious, though he hopes that will change soon.

Google has been informed of the vulnerability and is said to be working on a fix, but no time frame has been given as to when a patch will be made available.

Photo: casasroger/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU