Google introduced Application-Bound (App-Bound) encryption in July (Chrome 127) as a new protection mechanism that encrypts cookies using a Windows service that runs with SYSTEM privileges.
The goal was to protect sensitive information from infostealer malware, which runs with the permissions of the logged user, making it impossible for it to decrypt stolen cookies without first gaining SYSTEM privileges and potentially raising alarms in security software.
“Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app,” explained Google in July.
“Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn’t be doing.”
However, by September, multiple information stealers had found ways to bypass the new security feature and provide their cybercriminal customers the ability to once again steal and decrypt sensitive information from Google Chrome.
Google responded by saying that it was expected, and added that it was happy the changed forced a shift in attacker behavior.
“This matches the new behavior we have seen. We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
Now, security researcher Alexander Hagenah built and shared a tool on GitHub he called ‘Chrome-App-Bound-Encryption-Decryption’ which does the same as these infostealers, BleepingComputer reports.
“This tool decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service,” the project page reads. “The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
Commenting on all of the above, Google essentially said it was satisfied, since crooks now need higher privileges to pull off the attacks:
“This code [xaitax’s] requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack,” Google said.