The cookie encryption system that Google introduced to the Chrome browser a few months ago can easily be bypassed, experts have warned.
In fact, a security researcher has recently published a new tool that does just that.
In July 2024, Google released Chrome 127, a new version of the Chrome browser that came with Application-Bound (App-Bound) encryption. The new feature was supposed to serve as a protection mechanism, encrypting cookies using a Windows service running with SYSTEM privileges. The tool was supposed to prevent infostealing malware from grabbing sensitive information stored in the browser, such as login credentials, session cookies, and more.
Higher privileges needded
“Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app,” Google said at the time. “Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn’t be doing.”
But the success of the new feature was short-lived. In late September, we reported that multiple infostealers were already able to work around the feature, including Lumma Stealer, StealC, and many others.
Google responded by saying that it was expected, and added that it was happy the changed forced a shift in attacker behavior.
“This matches the new behavior we have seen. We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
Now, security researcher Alexander Hagenah built and shared a tool on GitHub he called ‘Chrome-App-Bound-Encryption-Decryption’ which does the same as these infostealers, BleepingComputer reports.
“This tool decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service,” the project page reads. “The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
Commenting on all of the above, Google essentially said it was satisfied, since crooks now need higher privileges to pull off the attacks:
“This code [xaitax’s] requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack,” Google said.
Via BleepingComputer
+ There are no comments
Add yours