Update, Oct. 31, 2024: This story, originally published Oct. 29, has been updated with news of the takedown of the RedLine infostealer operation impacting Google Chrome browser users.
Cookie-stealing security protection was introduced with Google Chrome 127 to help prevent credential-stealing and 2FA-bypassing malware, but it has now been broken by a newly released hacking tool.
Google Chrome Application Bound Encryption
In the cybercriminal hacking sense, those who wish to do you harm like to deploy infostealer malware to gain access to accounts that can open the door to sensitive data, including passwords and banking details. Stealing cookies, especially session cookies, is one very popular way to accomplish this, as it means that the hacker can then effectively bypass your 2FA protections as they are already logged into the account, at least as far as your apps and devices are concerned.
This has not gone unnoticed by those who would protect us from such harm, including the Google Chrome security team. “Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users,” Will Harris of that team confirmed in July, adding that several security protections were already in place such as safe browsing, device bound session credentials and Google’s account-based threat detection feature. With the arrival of Google Chrome 127 for Windows, an additional layer of protection was added: “Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS,” Harris said. This is meant to prevent any app running as the logged-in user so as to gain access to “secrets” such as cookies.
This protection started with cookies in Google Chrome 127 but, as Harris stated at the time, is intended to expand to provide protection for “passwords, payment data, and other persistent authentication tokens.” All of which is very good news indeed. Or it was until the cybercriminals worked out how to bypass such protections.
The Google Chrome App Bound Encryption Decryption Bypass Tool
As reported by Bleeping Computer, the protections were being broken as early as September by “multiple information stealers,” enabling them to “steal and decrypt sensitive information from Google Chrome.”
A security researcher by the name of Alex Hagenah, who uses the handle xaitax online, decided that because of the number of threat actors that had seemingly bypassed the Google Chrome cookie protections, the time was right to release a tool that does the same thing, along with the full source code to enable defenders to learn from it. The does what it says on the tin tool, Chrome App-Bound Encryption Decryption, decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service, Hagenah said. “The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
Hagenah issued a warning alongside the code: This tool is intended for cybersecurity research and educational purposes. Ensure compliance with all relevant legal and ethical guidelines when using this tool.
A Google Chrome spokesperson said: “This code requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack.”
Law Enforcement Takes Down Google Chrome Credential-Stealing Operation
It’s not been all bad news for Google Chrome users, in fact there are at least two reasons to be cheerful when it comes to matters of security. The first was the takedown, as part of a joint operation by the European Union Agency for Criminal Justice Cooperation and the Federal Bureau of Investigation, of the command and control infrastructure behind the RedLine infostealer malware threat. Eurojust called RedLine “one of the largest malware platforms globally,” and the impact of this operation should, therefore, not be underestimated. “Three servers were taken down in the Netherlands, two domains were seized, charges were unsealed in the United States and two people were taken into custody in Belgium,” a Eurojust spokesperson said.
According to security experts from threat intelligence company Intel471, RedLine can collect any data stored in a web browser, including login credentials. Of particular interest given the nature of the tool released by Hagenah, RedLine can also grab cookies, session cookies, to allow for an attacker to bypass 2FA protections and access accounts over a period of time. “Cryptocurrency accounts were also targeted,” Intel471 said, “with RedLine capable of stealing access tokens that could be used to replicate a wallet, including from Google Chrome extensions that handle cryptocurrency.” Threat actors using RedLine had heaped praise upon the malware for being able to circumvent Google Chrome’s password and cookie encryption mechanisms.