The cookie encryption system that Google introduced in the Chrome browser a few months ago can be easily circumvented, experts warn.
A security researcher recently published a new tool that does just that.
In July 2024, Google released Chrome 127, a new version of the Chrome browser that came with application-specific (app-bound) encryption. The new feature was supposed to serve as a protection mechanism, encrypting cookies using a Windows service with SYSTEM permissions. The tool was intended to prevent infostealing malware from obtaining sensitive information in the browser, such as login details, session cookies and more.
Higher privileges needed
“Because the App-Bound service runs with system privileges, attackers must do more than just persuade a user to run a malicious app,” Google said at the time. “Now the malware needs to gain system privileges or inject code into Chrome, something legitimate software shouldn’t do.”
But the success of the new feature was short-lived. At the end of September, we reported that several infostealers were already able to bypass this feature, including Lumma Stealer, StealC, and many others.
Google responded by saying this was expected, adding that it was pleased the change forced a change in attacker behavior.
“This is consistent with the new behavior we’ve seen. We continue to work with OS and AV vendors to try to more reliably detect these new types of attacks, and continue to strengthen defenses to strengthen protection against infostealers for our improve users.”
Now, security researcher Alexander Hagenah has built and shared a tool on GitHub called ‘Chrome-App-Bound-Encryption-Decryption’ that does the same thing as these infostealers: BleepingComputer reports.
“This tool decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service,” the project page reads. “The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
In response to all of the above, Google said it was essentially satisfied because crooks now need higher privileges to perform the attacks:
“This code (xaitaxis) requires administrative privileges, demonstrating that we have successfully increased the amount of access required to successfully conduct these types of attacks,” Google said.
Via BleepingComputer