Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Google Chrome Bug Leads to Windows Credential Theft

An issue with the manner in which Google Chrome and Windows handle specific file types can lead to credential theft even on up-to-date systems, a DefenseCode researcher has discovered.

An issue with the manner in which Google Chrome and Windows handle specific file types can lead to credential theft even on up-to-date systems, a DefenseCode researcher has discovered.

While previous research on the leak of authentication credentials using Windows’ Server Message Block (SMB) file sharing protocol focused only on attacks involving Internet Explorer and Edge, DefenseCode’s Bosko Stankovic discovered that even the most popular browser out there can be used as an attack vector.

In a paper titled Stealing Windows Credentials Using Google Chrome (PDF), Stankovic explains that the attack abuses Chrome’s default configuration, where the browser automatically downloads files that it deems safe. What’s more, it doesn’t even prompt the user for a download location, but uses the present one instead.

What this means is that the browser could download malicious files that it deems safe and save them to disk without user’s knowledge. While most files would require some sort of user interaction to perform malicious operations on the systems, there are file types that don’t and an attacker could exploit these to compromise even systems with the latest patches installed.

One of these file types, the security researcher says, is Windows Explorer Shell Command File or SCF (.scf). Although not well-known, this file type goes back as far as Windows 98, and was primarily used as a Show Desktop shortcut in Windows 98/ME/NT/2000/XP.

“It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location,” the researcher explains.

The same as with shortcut LNK files, the icon location is automatically resolved when the SCF file is shown in Explorer, and attackers are known to have abused this feature by setting an icon location to a remote SMB server in order to abuse the Windows automatic authentication feature when accessing services like remote file shares.

Advertisement. Scroll to continue reading.

Ever since Stuxnet, Chrome sanitizes LNK files by forcing a .download extension, but doesn’t do the same when SCF files are involved. Because of that, SCF files can be used to trick Windows into an authentication attempt to a remote SMB server. Only two lines of code are needed to conduct such an attack.

“Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the ‘icon’,” Stankovic notes.

The remote SMB server can be set to capture the victim’s username and NTLMv2 password hash for offline cracking, or can relay the connection to an external service that accepts the same kind of authentication in an attempt to impersonate the victim without ever knowing the password.

“It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings. Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files,” the researcher explains.

To successfully exploit this attack vector, an actor would simply need to entice users into accessing a website (the attack works even on fully updated Google Chrome and Windows).

The impact of password theft could be dire on enterprise environments (especially if the attack victim is a privileged user) or for Active Directory domains (corporate, government and other networks), where the password theft could lead to escalating internal network breaches.

On Windows 8/10 machines using a Microsoft Account (MSA) instead of a local account, the attack would result in the compromise of all Microsoft services that are integrated with the MSA Single sign-on (SSO). Password reuse could lead to the compromise of accounts unrelated to MSA as well.

“In order to disable automatic downloads in Google Chrome, the following changes should be made: Settings -> Show advanced settings -> check the Ask where to save each file before downloading option. Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files,” the researcher says.

Related: SOP Bypass in Microsoft Edge Leads to Credential Theft

Related: Chrome Addresses Threat of Unicode Domain Spoofing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.