The Google`s Chrome team is working to fix a bug that allows the credential theft. The vulnerability can be exploited by hackers if the browser is running on Windows.
The attack is successful if hackers manage to cheat the victim to click on a link downloading a Windows .scf file (the old Shell Command File format, a shortcut to Show Desktop since Windows 98), said the Defense Code`s cybersecurity experts who have discovered the issue.
In practice, this exploits the way Chrome and Windows handle .scf files is exploited.
Most download links are sanitized by Chrome, adding the .download extension onto Windows LNK files but not .scf files.
That can happen, if the user clicks on the link, then the malicious .scf file will remain dormant in the Downloads directory until the victim reopens the folder.
This is exactly where the Windows vulnerability consists because viewing the folder will trigger Windows to try and retrieve an icon associated with the .scf file.
To retrieve the icon, the victim's device will present credentials to the server - their user ID and hashed password on a corporate network, or the home group's credentials if the computer is personal.
In this way, the credentials become available to hackers.
If the .scf file contains a specific code, then the user ID and hashed password will be presented to the attacker's IP:
The user ID and the hashed password can be presented to other services, although recovery of an NTLMv2 hashed password will require offline brute-force cracking.
The password brute-forcing is actually an average difficulty attack, but a NVIDIA GTX 1080 card can recover an eight-character password in less than a day.
Google has announced that it is aware of the problem and is working on the fixes.