Google Chrome security flaw could impact billions of users — update right now

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

If you haven’t updated your browser in a while you should do so immediately, as a new high-severity vulnerability has been discovered that affects Google Chrome and other Chromium-based browsers like Microsoft Edge.

The vulnerability, dubbed SymStealer and tracked as CVE-2022-3656, was first discovered by security researchers at Imperva and more than 2.5 billion users could be at risk of potential attacks if they aren’t running the latest version of Chrome.

If exploited, an attacker could use this vulnerability to steal sensitive files from a users’ computer including banking and crypto wallet credentials that could then be used to drain their accounts

Chrome’s popularity comes with a number of benefits like compatibility and frequent security audits but as the most widely used browser with a 65.52% market share according to a blog post from Imperva, it’s also a very attractive target for hackers and other cybercriminals.

SymStealer vulnerability

The vulnerability itself involves symlinks or symbolic links which are a type of file that points to another file or directory. Symlinks are often used for creating shortcuts, redirecting file paths or organizing files in a more flexible way. However, they can also introduce vulnerabilities.

Imperva’s researchers discovered an issue in Chrome where the browser did not properly check to see if symlinks were pointing to a location that wasn’t supposed to be accessible. This could allow an attacker to steal sensitive files from a victim’s machine.

In one attack scenario laid out by the firm, an attacker could create a fake website that offers a new crypto wallet service. This website could then trick a user into creating a new wallet by requesting they download their recovery keys.

While a user would think they were downloading their keys, the file itself would actually contain a symlink to a sensitive file or folder on their computer. After unzipping the file and uploading their recovery keys back to the fake website, the symlink would then be processed and the attacker would gain access to a sensitive file. 

Fortunately, Imperva’s researchers disclosed the vulnerability to Google and the search giant rolled out a fix in Chrome 107. However, this didn’t fully address the issue which is why a permanent fix was included with the release of Chrome 108

How to stay safe from browser-based attacks

Best antivirus software

(Image credit: Shutterstock)

If you’re using Chrome, Microsoft Edge, Brave, Vivaldi, Opera or any other Chromium-based browser, you should download and install the latest updates immediately to protect the sensitive files on your computer from being stolen. 

Although there haven’t been any instances of this security flaw being exploited in the wild, attackers could come up with exploits targeting users that are still running vulnerable versions of Chrome or other Chromium browsers.

Besides keeping your browser and other software up to date, you should also consider installing the best antivirus software to help keep you protected from malware and other cyber threats.

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Latest in Browsers
iPhone 16 Pro Max shown in hand
Your iPhone has a custom voice command feature — here's how to use it
iPhone 16 Pro Max shown in hand
You can change your iPhone's default browser — here's how
Google Chrome on Android
How to stop your personal data from appearing in Google searches
Opera Air
I just tested the world’s first mindful browser — it’s calmly convinced me to ditch Google Chrome
A photo of the Google Chrome logo on a white background, displayed on the screen of a large MacBook Pro which is situated on a table with green foliage behind.
Google Chrome just got three new modes — and it's a game changer for performance
Google Calendar app on iPhone
Google Calendar just got the dark mode we’ve been waiting for — here’s how to activate it
Latest in News
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
Wolfenstein: The Old Blood
Amazon is giving away a ton of free games for its Big Spring Sale — here’s how to claim yours
A TV with the Netflix logo sits behind a hand holding a remote
Netflix is rolling out a big video quality upgrade — what you need to know
Choi Hyun-Wook, Hong Kyung, and Park Ji-hoon in "Weak Hero Class 1" now streaming on Netflix
This action-packed K-drama is now streaming on Netflix — and now’s the time to binge-watch before season 2