Chrome Browser Hack Opens Door to Credential Theft

google chrome security update

Researchers at DefenseCode claim a vulnerability in Google’s Chrome browser allows hackers to steal credentials and launch SMB relay attacks.

A vulnerability in Google’s Chrome browser allows hackers to automatically download a malicious file onto a victim’s PC that could be used to steal credentials and launch SMB relay attacks.

Bosko Stankovic, information security engineer at DefenseCode, found the flaw in the default configuration of the latest version of Chrome running on an updated version of Microsoft’s Windows 10 operating system.

“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” he wrote Monday in a description of the vulnerability.

The technique allows an attacker to gain access to a victim’s username and Microsoft LAN Manager (NTLMv2) password hash. That leaves victims open to a variety of attacks including a Server Message Block (SMB) relay attack. A SMB relay attack allows an adversary to use a victim’s credentials to authenticate to a PC or network resource such as email or remote server.

Attacks could also use this vulnerability to attempt to crack the target’s hashed password.

DefenseCode said it did not notify Google of the vulnerability. When Threatpost asked Google to comment a spokesperson said “We’re aware of this and taking the necessary actions.” Google didn’t elaborate.

According to Stankovic the browser attack is simple.

First, a victim is enticed to click on a specially crafted link that triggers an automatic download of a Windows Explorer Shell Command File or SCF file (.scf) onto a victim’s PC. The file is automatically downloaded to the target’s C:\Users\%Username%\Downloads Folder.

Once the .SCF file is downloaded into the Download directory it lays dormant. However, once the user opens the Download directory folder in Windows, the SCF file tries to retrieve data associated with a Windows icon located on the attacker’s server.

When the SCF file attempts to retrieve the remote icon file data it present the attacker’s server with the victim’s username and hashed version of the victim’s password. If the victim is part of a corporate network, the username and password is the network username and password assigned to the victim by the company’s system administrator. If the victim is a home user, the SCF file will request the icon data associated with the home user’s Windows username and password.

Researchers independent of DefenseCode point out that the vulnerability is not exclusively tied to the way the Chrome browser handles SCF files, but also the way Windows handles them as well.

According to Stankovic, SCF files are lesser known file types going back as far as Windows 98 where it was primarily used as a “Show Desktop” shortcut. “It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location,” Stankovic said.

Researchers say this type of attack could be used maliciously to attempt to crack the hashed password. The attacker could also use the credential request in a SMB relay attack. Under that scenario an attacker could forward the credential request to attempt access NTLM-enabled services on a corporate network – such as email or network access.

“Organizations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password,” Stankovic said.

To protect against the attack in Google Chrome, DefenseCode recommends visiting Settings> Show advanced settings> and Check the “Ask where to save each file before downloading” option.

“As with Windows shortcut LNK files, the icon location is automatically resolved when the file is shown in Explorer. Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. But what is the difference between LNK and SCF from the attack standpoint? Chrome sanitizes LNK files by forcing a .download extension ever since Stuxnet, but does not give the same treatment to SCF files,” Stankovic wrote in his report.

Stankovic said competing browsers Microsoft Internet Explorer, Edge, Mozilla Firefox and Apple Safari each do not allow the automatic download of SCF files.

Suggested articles



    The exploit does NOT grant access to the LAN Manager (NTLMv2) password hash. There is no such thing as a v2 hash. It grants access to the NTLM response. This is the NTLM Hash combined with a random salt. This is a far cry from the hash. That said, if the protocol is NTLM v1, this is horrific.
  • eeeee on

    Even if the other browsers do not automatically download SCF files, how many average users even know that SCF files trigger this Windows behavior? This is definitely a problem for Windows to fix.
  • Shawn on

    What about disabling SMB
  • Tom Spring on

    Hi Shawn... I touched base with the researcher and he responded with this feedback to your question: "I suppose it would protect you but that's not a good option for most users in networks or that use file shares at home, etc"
  • SMD on

    Hello Tom What if the SCF file is downloaded directly to the desktop instead of C:\Users\%Username%\Downloads Folder, what do you think will happen?
    • Tom Spring on

      Good Question SMD. Once again, I've reached out to the author of the research and asked. Here is what he had to say. "When you refresh the Desktop the same thing will happen. That happens automatically in a lot of cases and it's even worse than being downloaded in Downloads folder because you access your Desktop more often."
  • Mark Gamache on

    What about security researchers and bloggers not knowing that "Microsoft LAN Manager (NTLMv2) password hash" is not a thing? It gives the impression that maybe the attacker can get the NT hash, which is a thing and would be VERY bad.
  • Tom Spring on

    HI Mark, thanks for reaching out. I've contacted the researcher and asked him to address your specific comment regarding LAN Manager (NTLMv2). Here is what he had to say: "NTLMv2 hash is a known term that refers to the information gathered from the NTLMv2 authentication protocol (username/domain, server challenge, NTLMv2 response). It's been known as such in IT security world since first attacks against it were published. It is referred to as NTLMv2 hash or NetNTLMv2 in all security tools that are used to crack, capture or inspect those responses. It is not to be mistaken with NT hash."
  • Gav on

    As a Computer user who is 'fairly' competent at using a PC, but by your standards, a complete novice... I have uninstalled Google Chrome. It started acting up. My anti-virus, kept picking up authentication issues and re-directs and pointing fingers at chrome. I uninstalled, and re-installed, and same issues. I have since deleted chrome and use internet explorer, and issues have stopped. As a long time chrome user, it saddens me. But I will never be touching chrome again.
  • Rumman on

    Is there any exploit module is MSF or other way to demonstrate this attack/vulnerability for educational purpose?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.