Chrome vulnerability can allow attackers to steal user credentials

Google Chrome may not be as safe as it was thought to be. Recently, a security engineer, Bosko Stankovic, found a vulnerability in Google Chrome that hackers can easily exploit to get a user’s credentials such as their username and password and potentially launch SMB relay attacks. It must be noted that WannaCry ransomware attack also exploits an SMB vulnerability present in the outdated version of Windows operating systems.

More:  Microsoft Slams NSA over WannaCry Ransomware Attack

What is the vulnerability?

Apparently, the vulnerability is in Google Chrome’s configuration, as claimed by Stankovic who works as a security expert at DefenseCode. He found the flaw in the latest version of Chrome installed on an updated version of Windows 10.

How can the vulnerability be exploited?

According to Stankovic, the vulnerability lets the attacker steal a user’s username and the hashed version of their password by simply tricking the victim to click a specific link created by the attacker. The attacker can then use the credentials to access a user’s email and any other network that uses the victim’s credentials to allow access.

In particular, the attacker can launch a Server Message Block (SMB) relay attack, which means that the hacker can use the victim’s credentials to gain access to the victim’s remote server, email or the entire computer. Moreover, the vulnerability can be used to crack the victim’s hashed password as well.

How does it work?

Stankovic explained the mechanism by which an attacker steals a victim’s credentials. To begin with, the attacker creates a link, which, when clicked by the user, automatically downloads a Windows Explorer Shell Command File (SCF file) into the user’s computer.

This file then gets stored in the victim’s Download folder. However, it does not do anything as long as the user does not open the folder. Nevertheless, once the user accesses the Download folder, the SCF file sends a request to the attacker’s server to retrieve data which is related to a Windows icon.

More:  Beware; Sophisticated Phishing Attacks Using Unicode Characters

Consequently, when the request to retrieve data is sent to the attacker’s server, the victim’s username and hashed version of his/her password is revealed to the attacker. If these credentials are used to access a corporate network, then the attacker can virtually impersonate the victim to hijack the entire network.

What does Google have to say?

It has been reported that DefenseCode did not communicate the vulnerability to Google once it discovered the fault. Threatpost, however, asked Google for their comment on the issue. Google simply stated that it is working on fixing the problem.

Windows or Google – who’s fault?

Some experts are of the opinion that the vulnerability is not solely because of Chrome, but also because of the way Windows manages SCF files. An SCF file is a text file that contains pieces of text which prompt a command and allows the system to locate an icon file.

As such, the file can be used to carry out an SMB attack. If the attack is made on a corporate network and that network uses NTLM authentication, then the attacker may not even have to crack the hashed version of the password to gain access.

How to protect yourself?

In order to prevent such an attack, you need to go to Chrome’s Settings -> Show Advanced Settings and then check the box which says “Ask where to save each file before downloading.” You can then change the location of the downloaded files, so you do not have to open the Download folder on your computer.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan