Google Chrome Introduces 'App-Bound Encryption' Encryption To Protect Cookies From Malware

Chrome, cookie jar

When browsing the web, cookies can be useful, because they can be used to save site preferences and browsing information for a more seamless experience.

But at the same time, cookies that can store a lot of information about users, can also be used to track users. And malicious people can also steal cookies to steal users' data. Google wants to prevent this.

The company has what calls the Device Bound Session Credentials (DBSC), which the company said can protect users against malware that steals cookies.

As Google explained, attackers typically pull authentication cookies from browsers on targets' device and move them to remote servers. They then sell access to the compromised accounts.

DBSC is meant to significantly cut down on cookie theft from occurring in the first place.

Building on top of that, Google introduces what it calls the 'Application-Bound' encryption in Chrome 127.

The idea is to prevent infostealer malware from accessing critical user data, like cookies

When present on a system, infostealers often run with increased privileges, with access similar to that of a logged in user. This allows the malware to access sensitive information that user has the right to access.

With the change in Chrome 127, this method no longer works because the data is encrypted through the app-bound encryption method, which ties the ability to decrypt it to the app, rather than the user.

"In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives. Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS," Will Harris of the Chrome security team said in a blog post.

"App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail."

Initially, the change only applies to cookies in Chrome 127.

Google however, plans to extend it to other sensitive data in later versions, to include data, like passwords, payment data, and other information.

'Application-Bound' encryption

Even just the protection of cookies in this way is a major step forward for Chrome and a win for users. Cookie theft is a very common problem and a serious risk for users. Right now, Chrome on Windows uses the Windows data protection API to protect sensitive data at rest, but malicious apps running with the user’s privileges can still get to that information.

“Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software – and more likely to be detected,” Harris said.

It's worth noting that the method uses encryption key that is also bound to the specific machine, meaning that even though hackers managed to steal the key, that stolen key cannot be used in other places.

Published: 
30/07/2024