Tuesday, November 5, 2024

Google Chrome adds app-bound encryption to block infostealer malware

Must read

Google Chrome has added app-bound encryption for better cookie protection on Windows systems and improved defenses against information-stealing malware attacks.

As Chrome software engineer Will Harris explained in a blog post published today, Chrome currently uses the most robust techniques provided by each operating system to safeguard sensitive data such as cookies and passwords: Keychain services on macOS, kwallet or gnome-libsecret on Linux, and the Data Protection API (DPAPI) on Windows.

However, while DPAPI can protect data at rest from cold boot attacks or from other users on Windows systems, it does not protect against malicious tools or scripts designed to execute code as the logged-in user, which is something that infostealer malware exploits.

“In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives,” said Harris.

“Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS.”

Chrome’s App-Bound Encryption uses a new Windows service running under ‘SYSTEM’ privileges to confirm an app’s identity when it requests encryption. The service encodes the app’s identity into the encrypted data and ensures that only the intended app can decrypt it, causing other apps to fail when attempting to decrypt the data.

Since the service operates with system privileges, attackers would also need to gain system privileges or inject code into an app like Chrome, which is not a typical or legitimate action and makes it easier for antivirus software to detect when malware is used to steal data.

Google Chrome App-Bound Encryption
Google Chrome App-Bound Encryption (Google)

This improved protection capability will be expanded to passwords, payment data, and other persistent authentication tokens to better defend users’ sensitive data from infostealer malware attacks.

It also adds to other recent initiatives and features announced by Google to protect user data, such as Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and account-based threat detection to flag the use of stolen cookies.

“App-Bound Encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system,” Harris added.

“As the malware landscape continually evolves we are keen to continue engaging with others in the security community on improving detections and strengthening operating system protections, such as stronger app isolation primitives, for any bypasses.”

Last week, Google also rolled out new Chrome warnings when downloading password-protected archives and implemented improved alerts with more information about potentially malicious downloaded files.


Latest article