Google Chrome Introduces App-Bound Encryption to Safeguard Cookies from Malicious Software
Google has revealed a new safeguard feature for its Chrome browser using what it terms as app-bound encryption to thwart cookie theft by malicious software on Windows operating systems.
“Chrome on Windows leverages the Data Protection API (DPAPI) to safeguard stored data from unauthorized access or cold boot hacks,” stated Will Harris from the Chrome security team in a recent blog post. “However, DPAPI doesn’t defend against rogue apps that have the ability to execute code as the logged-in user – a vulnerability exploited by data thieves.”
App-bound encryption represents a step forward from DPAPI by integrating an application’s identity (e.g., Chrome) into encrypted data to prevent other applications on the system from gaining access during decryption attempts.
“Since the app-bound service operates with system privileges, attackers need more than just convincing a user to run a malicious app,” Harris elaborated. “Now, malware must escalate to system privileges or inject code into Chrome, activities that are abnormal for legitimate software.”
Due to the encryption key being tightly linked to the device, it may face compatibility issues in scenarios where Chrome profiles migrate across different machines. Organizations supporting profile roaming are advised to abide by the recommended practices and activate the ApplicationBoundEncryptionEnabled policy.
The update, implemented last week with Chrome version 127, is currently limited to cookies, with Google expressing its intent to extend this protection to passwords, payment data, and other persistent forms of authentication tokens.
Earlier this year, the tech giant detailed a method utilizing a Windows event logging mechanism named DPAPIDefInformationEvent to effectively identify unauthorized access to browser cookies and credentials by external applications.
Of significance is the fact that password and cookie security on Apple macOS and Linux systems relies on Keychain services and system-provided wallets like kwallet and gnome-libsecret, respectively.
These enhancements to Chrome occur amidst a series of security upgrades introduced in recent months, which include enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated file scans for potential threats during downloads.
“App-bound encryption raises the difficulty level for data theft and also creates noticeable disturbances on the system,” highlighted Harris. “This approach enables defenders to clearly identify acceptable behaviors for other applications on the system.”
It also follows Google’s recent decision to maintain support for third-party cookies in Chrome, a move that has drawn criticism from the World Wide Web Consortium (W3C). The W3C emphasized the role of third-party cookies in tracking and highlighted concerns about the setback it poses to achieving a cookie-free web environment.
“Tracking and subsequent data gathering can fuel targeted delivery of political messages, leading to adverse societal impacts,” read a statement by W3C. “This reversal is likely to delay collaborative efforts across browsers to establish effective alternatives to third-party cookies.”
About Author
