Google has announced that it is adding a new layer of protection called app-bound encryption to its Chrome browser to prevent information-stealing malware from obtaining cookies on Windows systems.
“On Windows, Chrome uses the Data Protection API (DPAPI) to protect stored data from other users on the system and from cold boot attacks,” says Will Harris of the Chrome security team. “However, DPAPI does not protect data from malicious applications that can execute code as the logged-in user, which is what information thieves exploit.”
App-bound encryption goes beyond DPAPI in that it interweaves the app’s identity (Chrome in this case) with the encrypted data, ensuring that another app on the system cannot access that data when a decryption attempt is made.
“Because app-bound services run with system privileges, an attacker can’t just convince a user to run a malicious app,” Harris said. “Currently, malware needs to gain system privileges or inject code into Chrome, which is something legitimate software shouldn’t do.”
This method strongly binds the encryption key to the machine and will not work properly in environments where Chrome profiles roam across multiple machines. We recommend that organizations that support roaming profiles follow best practices in configuring the ApplicationBoundEncryptionEnabled policy.
The change took effect with the release of Chrome 127 last week, and applies only to cookies, but Google has announced that it plans to extend the protection to passwords, payment data, and other persistent authentication tokens.
In April, the tech giant outlined a technique to reliably detect access to browser cookies and credentials from another application on the system, using a Windows event log type called DPAPIDefInformationEvent.
Of note, web browsers protect passwords and cookies on Apple macOS and Linux systems using the Keychain service and system-provided wallets such as kwallet and gnome-libsecret, respectively.
The development comes as part of a series of security improvements added to Chrome in recent months, including enhanced Safe Browsing, Device-bound Session Credentials (DBSC), and automatic scanning of suspicious and potentially malicious files when downloading them.
“App-bound encryption increases the cost of data theft for attackers and makes their actions much more visible on a system,” Harris said. “It allows defenders to draw clear lines about acceptable behavior for other apps on a system.”
This also comes after Google announced that it has no plans to phase out third-party cookies in Chrome, with the World Wide Web Consortium (W3C) reiterating that third-party cookies enable tracking and that this decision will undermine the progress made to date in making the web work without them.
“Tracking and the subsequent data collection and mediation can aid in the micro-targeting of political messages, with potentially harmful social impacts,” the company said. “Unfortunately, the withdrawal will have secondary consequences, potentially delaying efforts to create an effective cross-browser alternative to third-party cookies.”
