Environment Variables Leak affect Multiple browsers

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here.

A system environment variables leak security bug was found in Chromium 92 version. Multiple web browsers are based on the chromium engine, such as Google Chrome, Microsoft Edge, Opera, and Brave. Most of them are reported to be vulnerable, except Brave.

The vulnerability tracked as CVE-2022-0337 affects the ‘window.showSaveFilePicker()’ method in the File system access API. An attacker can exploit this vulnerability to gain access to the victim’s system environment variables by crafting a malicious html file and enticing a victim user to open it. Environment variables are the variables where users can store secrets like tokens, passwords, keys to some services (ex. Microsoft Azure or Twilio SendGrid). This vulnerability only affects Windows operating system.

Potential MITRE ATT&CK TTPs are:TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0005: Defense EvasionT1027: Obfuscated Files or InformationT1027.006: Obfuscated Files or Information: HTML Smuggling

Vulnerability Details

Patch Link







What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox