A serious vulnerability in the Windows version of Google’s Chrome web browser has been discovered that could allow hackers to steal user credentials.
Spotted by Bosko Stankovic, an information security engineer at DefenseCode LLC, the vulnerability in the default configuration of the latest version of Chrome allows malicious websites to trick users into downloading a .scf (Shell Command File format) file without prompting the user as it would typically do with other types of downloads. By bypassing this option, the malicious .scf file lies dormant in the downloads directory until a victim opens the directory, at which point the file automatically runs without the user having to click on it.
Once up and running, the file allows the attacker to gain access to a victim’s username and Microsoft LAN Manager password hash. That leaves the victim open to attacks, including a so-called Server Message Block relay attack that allows the hacker to use the credentials to authenticate to a personal computer or network resource.
The password angle is where the method of attack gets more interesting. Stankovic found that although the password itself would need external brute-force cracking, a number of Microsoft services will accept the password in its hashed form for authentication, meaning that decryption isn’t necessary. Services that could potentially be accessed include OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and others.
If that isn’t bad enough, Stankovic claims, no antivirus software tested managed to flag the flag the file as being anything suspicious, though he hopes that will change soon.
Google has been informed of the vulnerability and is said to be working on a fix, but no time frame has been given as to when a patch will be made available.