A new tool has been released that can bypass Google Chrome’s latest cookie encryption, sparking concerns over the security of user data stored in the browser.
What happened
Google introduced App-Bound encryption in July 2024 to improve Chrome's cookie security by requiring SYSTEM-level privileges for decryption, making it harder for malware to access sensitive information. The tool, created by researcher Alexander Hagenah, exploits Chrome's IElevator service, allowing users to retrieve encrypted cookie data, bypassing Google’s new defense.
Despite Google's security update, Hagenah’s tool, now publicly available on GitHub, enables unauthorized decryption, posing a heightened risk for users who store personal credentials in Chrome. Within months of App-Bound encryption’s release, cybercriminals had adapted, with malware programs finding ways to sidestep Chrome’s security.
Going deeper
App-Bound encryption was Google’s response to increasingly sophisticated malware targeting browser-stored data. Designed to prevent malware with standard user permissions from accessing encrypted cookies, it instead relies on a Windows service running with SYSTEM privileges. Yet, cybercriminals have kept pace, quickly developing workarounds. The release of Hagenah's tool proves how attackers adapt to updated security measures, with his tool mirroring methods used in established malware but now available for widespread use.
How it works
The tool works through a few straightforward steps:
- Installation: The executable file must be placed in Chrome’s installation directory (usually located in C:\Program Files\Google\Chrome\Application).
- Privileges: It requires administrator privileges, making it relatively easy for attackers to execute if users have admin access.
- Decryption: Once in place, it accesses and decrypts App-Bound encrypted keys within Chrome’s Local State file.
What was said
Google acknowledged the challenge, with a spokesperson noting that App-Bound encryption was designed to disrupt malware's access to browser data. "We anticipated a cat-and-mouse dynamic with attackers," the spokesperson said, adding that Google expects attackers to pivot to tactics like injection and memory scraping.
Why it matters
The release of this tool shows just how quickly attackers can find ways around new security measures, posing a real risk for millions of Chrome users who store sensitive information like passwords and financial data in their browsers. Google’s App-Bound encryption is directed at protecting user data from unauthorized access, but this workaround shows that attackers can still slip through, putting individuals and organizations at risk. As more people rely on browsers for convenience, it’s a reminder to stay cautious and consider added security measures, like two-factor authentication and password managers, for extra protection.
FAQs
What data is at risk if this tool is used?
Any data stored in Chrome’s cookies, such as saved login credentials and personal information, can be decrypted and accessed if this tool is used on a vulnerable system.
How can users protect themselves from this vulnerability?
To mitigate risk, users should regularly update Chrome, restrict admin access on their devices, and avoid storing sensitive information in the browser. Using password managers and enabling multi-factor authentication wherever possible also adds extra layers of security.
Why can’t Google fully prevent these kinds of attacks?
Security changes as attackers develop new tactics. Even with Google’s encryption improvements, cybercriminals constantly innovate, making it difficult to create a fully impenetrable system. Google continues to work on additional security layers to stay ahead in this ongoing cycle.
Farah Amod
