Google Chrome WARNING - This terrifying new HACK leaves Windows PCs open to ATTACK

GOOGLE CHROME users need to be aware of a terrifying new glitch that enables cybercriminals to steal your Windows login credentials using your web browser.

By Aaron Brown, Express Affiliate Development Editor with 10 years of experience writing about the latest developments in consumer technology, product reviews, and buying advice

Hackers could use Google Chrome to gain access to your Windows loginGETTY • GOOGLE

Hackers could use Google Chrome to gain access to your Windows login

Chrome users have been cautioned about a new software bug that allows hackers to steal login credentials for Windows.

These login details can be immediately reused, allow cybercriminals to "impersonate members of the organisation" and launch further attacks "on other users or gain access and control of IT resources".

The terrifying new vulnerability was disclosed by security engineer Bosko Stankovic.

Stankovic shared the Google Chrome glitch on security blog DefenseCode, where he revealed the flaw was present in a default configuration of Chrome running on .

"Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim's authentication credentials," Stankovic wrote.

To siphon Windows login credentials with Chrome, Stankovic combined two previous attack techniques – one borrowed from the Stuxnet campaign, and another demonstrated by Jonathan Brossard and Hormazd Billimoria at the Black Hat security conference.

According to Stankovic, the attack is relatively simple to execute.

Hackers need to trick victims into clicking on a malicious link, which automatically downloads a Windows Explorer Shell Command File or SCF file.

"With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one," Stankovic writes.

"From a security standpoint, this feature is not an ideal behavior but any malicious content that slips through still requires a user to manually open/run the file to do any damage.

"However, what if the downloaded file requires no user interaction to perform malicious actions?"

Tech expert on how to keep your browser secure

Once the .SCF file is automatically downloads to the user's Download folder, where it lays dormant until the opens the Download directory in Windows.

This launches the malicious .SCF file, which then attempts to retrieve data linked with a Windows icon located on the attacker’s server.

DefenceCode did not inform Google about the vulnerability following the publication of the blog.

However a spokesperson for Google told ThreatPost: "We’re aware of this and taking the necessary actions."

"Organisations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password," Stankovic has warned.

Would you like to receive news notifications from Daily Express?