JavaScript Drive-By Attacks: New Exploits without 0-Day in Google Chrome

Security researcher Ron Masas from Imperva Threat Research has uncovered a new way attackers can target Chrome users without relying on 0-day vulnerabilities. This approach leverages the File System Access API, which allows websites to read and write to local files when users grant permission. According to Masas, “This API bypasses both Windows and macOS security mechanisms,” raising serious concerns, especially for macOS users, who rely on the operating system’s Gatekeeper feature to prevent unauthorized code execution.

Masas’ interest in this exploit type began years ago with the Java applet “drive-by download” technique, which allowed web pages to execute arbitrary code. In the modern version of this attack, “a single misclick could lead to a compromised system,” especially when Chrome’s File System Access API is involved.

Image: Imperva

Masas identified that Chrome has a blocklist to restrict access to sensitive files, but it has loopholes. By leveraging symbolic links (symlinks), attackers can trick Chrome into writing to files that are otherwise protected. “The Google Chrome Helper acts,” Masas notes, “as an intermediary between Chrome and any installed plugins,” providing attackers with a direct route to execute code when overwritten.

To showcase the potential impact, Masas developed two proof-of-concept applications: a browser AI helper and a fake online IDE called “Evil Code Editor.” Both PoCs were designed to lure users into granting file access, which could then be used to execute arbitrary commands. Masas explains, “If users follow these steps, attackers could execute arbitrary commands on their machines,” highlighting the severity of this exploit.

The report recommends that Google remove execute permissions from files modified by the File System Access API to mitigate these attacks. While Google plans to implement restrictions in Chrome 132, this issue remains unpatched at present.

As Masas concludes, “Even today, a few wrong clicks can open the door to serious security issues. Stay alert and think twice before allowing access to your files.” This reminder underscores the risks of modern web functionality, where convenience and security are constantly at odds.

Related Posts:

• Atlassian Companion Update Now! PoC for CVE-2023-22524 Puts Businesses on High Alert
• Researcher details authentication bypass flaw (CVE-2022-47003) in Mura CMS
• Apple backports fix for actively exploited 0-day to older macOS and iPhone/iPad devices
• Android patches take a long time to reach users’ devices, weakening Android security
• New DarkGate Malware Campaign Exploits 0-day CVE-2024-21412 Flaw