Cookie-stealing security protection was introduced with Google Chrome 127 to help prevent credential-stealing and 2FA-bypassing malware, but it has now been broken by a newly released hacking tool.
Google Chrome Application Bound Encryption
In the cybercriminal hacking sense, those who wish to do you harm like to deploy infostealer malware to gain access to accounts that can open the door to sensitive data, including passwords and banking details. Stealing cookies, especially session cookies, is one very popular way to accomplish this, as it means that the hacker can then effectively bypass your 2FA protections as they are already logged into the account, at least as far as your apps and devices are concerned.
This has not gone unnoticed by those who would protect us from such harm, including the Google Chrome security team. “Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users,” Will Harris of that team confirmed in July, adding that several security protections were already in place such as safe browsing, device bound session credentials and Google’s account-based threat detection feature. With the arrival of Google Chrome 127 for Windows, an additional layer of protection was added: “Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS,” Harris said. This is meant to prevent any app running as the logged-in user so as to gain access to “secrets” such as cookies.
This protection started with cookies in Google Chrome 127 but, as Harris stated at the time, is intended to expand to provide protection for “passwords, payment data, and other persistent authentication tokens.” All of which is very good news indeed. Or it was until the cybercriminals worked out how to bypass such protections.
The Google Chrome App Bound Encryption Decryption Bypass Tool
As reported by Bleeping Computer, the protections were being broken as early as September by “multiple information stealers,” enabling them to “steal and decrypt sensitive information from Google Chrome.”
A security researcher by the name of Alex Hagenah, who uses the handle xaitax online, decided that because of the number of threat actors that had seemingly bypassed the Google Chrome cookie protections, the time was right to release a tool that does the same thing, along with the full source code to enable defenders to learn from it. The does what it says on the tin tool, Chrome App-Bound Encryption Decryption, decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service, Hagenah said. “The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
Hagenah issued a warning alongside the code: This tool is intended for cybersecurity research and educational purposes. Ensure compliance with all relevant legal and ethical guidelines when using this tool.
A Google Chrome spokesperson said: “This code requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack.”