Malicious Google Chrome extension collected users' data for third parties
Malicious Google Chrome extension collected users' data for third parties

A bug in Google's popular web browser Chrome could enable bad actors to place a malicious file onto a target PC that could then be used to siphon off Windows credentials and initiate a Server Message Block (SMB) relay attack, according to a post by Bosko Stankovic, an information security engineer at DefenseCode.

Stankovic discovered the vulnerability in the default configuration of Chrome and all Windows versions supporting the browser.

"With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one," Stankovic wrote. This step, he explained, is not optimal from a security standpoint, but for it to cause any harm a user would still need to manually open and run the file.

The problem is that a Windows Explorer Shell Command File or SCF (.scf) – a text file that launches commands – requires no user action and can be used to trick Windows into an authentication attempt to a remote SMB server, which then gathers victims' usernames and Microsoft LAN Manager (NTLMv2) password hash, Stankovic wrote.

This is enough personal data, he explained, to launch account breaches on Windows systems. For enterprises using Microsoft Exchange and which use NTLM as an authentication strategy, the bug could enable SMB relay attacks, where the bad actors could pose as the victim and thus gain access to networks without a password.

When a number of anti-virus solutions were tested, none captured the downloaded file as suspicious.

To disable automatic downloads in Google Chrome, Stankovic recommended the following preferences be checked: Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option.

"Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files," he explained.

Google is reportedly looking into the vulnerability.