The new tool bypasses Google Chrome’s cookie protection
Cookie theft security protection was introduced with Google Chrome 127 to help prevent credential-stealing malware and 2FA bypassing, but now it’s been broken by a newly released hacking tool.
Encryption associated with the Google Chrome application
In the hacking sense of cybercrime, those who wish to do you harm like to use info-stealing malware to gain access to accounts that can open the door to sensitive data, including passwords and bank details. Stealing cookies, especially session files, is a very popular way to achieve this, as it means the hacker can then effectively bypass your 2FA protection as they are already logged into the account, at least in terms of your applications and devices.
This has not gone unnoticed by those who would protect us from such harm, including the Google Chrome security team. “Cybercriminals using cookie-stealing file-stealing malware continue to pose a risk to the safety and security of our users,” confirmed that team’s Will Harris in July, adding that some security protections were already in place, such as browsing secure, device-bound session credentials, and Google Account-based Threat Detection. With the arrival of Google Chrome 127 for Windows, an extra layer of protection was added: “Chrome can now encrypt data associated with the app’s identity, similar to how Keychain works on macOS,” Harris said. This is intended to prevent any application from running as a registered user in order to gain access to “secrets” such as “cookies”.
This protection started with cookies in Google Chrome 127, but, as Harris said at the time, it is intended to be expanded to provide protection for “passwords, payment data and other persistent authentication arguments.” All this is very good news indeed. Or it was until cybercriminals worked out how to bypass such protections.
Decryption Bypass tool associated with Google Chrome app
As reported by Bleeping Computer, the defenses were being breached as early as September by “multiple information thieves,” enabling them to “steal and decrypt sensitive information from Google Chrome.”
A security researcher named Alex Hagenah, who goes by the web handle xaitax, decided that due to the number of threat actors who had seemingly bypassed Google Chrome’s cookie protection, it was time to release a tool which does the same thing. along with the full source code to enable patrons to learn from it. It does what it says on the tin, the Chrome App-Bound Encryption Decryption tool, decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service, Hagenah said. “The tool provides a way to recover and decrypt these keys, which Chrome protects via Bound-App Encryption to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future) .”
Hagenah issued a warning along with the code: This tool is intended for cybersecurity research and educational purposes. Ensure compliance with all relevant legal and ethical guidelines when using this tool.
A Google Chrome spokesperson said: “This code requires administrator privileges, which indicates that we have successfully increased the amount of access required to successfully carry out this type of attack.”