A Chrome exploit published online last week has been weaponized and abused to attack WeChat users in China, a local security firm reported on Friday.

The attacks consisted of malicious links sent to WeChat users.

If users clicked the link, they’d trigger a piece of JavaScript code that would load and execute shellcode on their underlying operating systems.

Qingteng Cloud Security, which detected the attacks via one of its security products, said in a Weibo post that only users of the WeChat Windows app were attacked.

This was because the attackers re-purposed proof of concept code published on Twitter and GitHub last week for two separate bugs in the Chromium browser engine, which the WeChat Windows client is using to open and preview links without needing to open a separate browser.

The proof of concept code published last week —both of them— allowed attackers to run malicious code inside any Chromium-based browser.

However, the exploit code was deemed useless on its own because most web browsers run Chromium in a “hardened mode” where the “sandbox” security feature is also enabled to prevent malicious code from escaping to the underlying operating system.

But as security researchers told The Record in interviews last week, their proof-of-concept code would work just fine against apps that used the Chromium project as a base but forgot to enable the sandbox protection.

WeChat client patched last week

Qingteng did not say which of the two Chromium exploits disclosed online last week were abused in the wild in China; however, the security firm said it notified Tencent, the WeChat app developer, which integrated the recent Chromium security updates to patch the attack vector.

The Chromium project has also released fixes to address both bugs, but the fixes are still making their way downstream to all apps that are using the browser engine.

Currently, only Microsoft Edge comes with fixes for both exploits. Chrome has patched only the first bug.


administrator

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Freelance writer