The threat posed by cybercriminals utilizing infostealer malware to steal cookies continues to jeopardize the security of our users. Our ongoing efforts in this area include leveraging Safe Browsing for Chrome’s download protection, implementing Device Bound Session Credentials, and utilizing Google’s account-based threat detection to identify stolen cookies. Today, we are introducing an additional security layer to enhance the safety of Windows users against such malware threats.
Like other applications that require safeguarding sensitive information, Chrome currently employs robust security measures for data such as cookies and passwords based on the best available methods provided by the operating system. On macOS, this is achieved through the Keychain services, while on Linux, we utilize system-provided wallets like kwallet or gnome-libsecret. However, on Windows, Chrome relies on the Data Protection API (DPAPI) to protect data at rest from unauthorized access. Nevertheless, the DPAPI does not defend against malicious applications that are capable of executing code as the logged-in user – a vulnerability that infostealers exploit.
With Chrome 127, we are introducing an enhanced protection mechanism on Windows which surpasses the DPAPI by offering Application-Bound (App-Bound) Encryption primitives. Instead of granting any application running as the current user access to this data, Chrome can now encrypt data associated with the application’s identity, similar to the functionality of Keychain on macOS.
We will be transitioning each category of sensitive information to this new system, commencing with cookies in Chrome 127. Subsequent releases will extend this protection to passwords, payment details, and other persistent user authentication tokens, thereby providing enhanced security against infostealer malware.
Operational Process
App-Bound Encryption relies on a privileged service to validate the legitimacy of the requesting application. During encryption, the App-Bound Encryption service embeds the application’s identity in the encrypted data and verifies its authenticity during decryption. Any other application attempting to decrypt the same data on the system will encounter failure.
Given that the App-Bound service operates with system privileges, attackers must go beyond enticing users to execute malicious applications. Now, malware must acquire system privileges or inject code into Chrome, actions that legitimate software should not typically perform. This tactic raises suspicion levels for antivirus software, thereby increasing the likelihood of detection. This protection collaborates with recent measures such as offering event logs for cookie decryption, intensifying the challenges and risks faced by attackers attempting to steal user data.
Considerations for Organizations
Given that malware can circumvent this protection by executing in elevated mode, enterprises that restrict users’ ability to launch downloaded files as Administrators stand to benefit significantly from this safeguard. In these environments, malware cannot easily escalate privileges and must resort to detectable techniques such as injection by endpoint agents.
App-Bound Encryption firmly associates the encryption key with the device, meaning it cannot function correctly in scenarios where Chrome profiles shift across multiple machines. We recommend organizations looking to support roaming profiles to adhere to established best practices. If necessary, App-Bound encryption can be enabled using the new ApplicationBoundEncryptionEnabled policy.
To facilitate the detection of any operational inconsistencies, Chrome generates an event log when a verification failure occurs. This event is identified as ID 257 from the ‘Chrome’ source within the Application log.
Final Thoughts
App-Bound Encryption elevates the complexity of data theft for attackers and amplifies the visibility of their actions within the system. It assists in delineating acceptable behavior for other applications on the platform. As the landscape of malware evolves continuously, we remain committed to collaborating with the security community to enhance detection capabilities and fortify operating system defenses through robust app isolation mechanisms to mitigate potential circumventions.
About Author
