A researcher has released a tool to bypass Google’s new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser.
The tool, named ‘Chrome-App-Bound-Encryption-Decryption,’ was released by cybersecurity researcher Alexander Hagenah after he noticed that others were already figuring out similar bypasses.
Although the tool achieves what multiple infostealer operations have already added to their malware, its public availability raises the risk for Chrome users who continue to store sensitive data in their browsers.
Google’s app-bound encryption problems
Google introduced Application-Bound (App-Bound) encryption in July (Chrome 127) as a new protection mechanism that encrypts cookies using a Windows service that runs with SYSTEM privileges.
The goal was to protect sensitive information from infostealer malware, which runs with the permissions of the logged user, making it impossible for it to decrypt stolen cookies without first gaining SYSTEM privileges and potentially raising alarms in security software.
“Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app,” explained Google in July.
“Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn’t be doing.”
However, by September, multiple information stealers had found ways to bypass the new security feature and provide their cybercriminal customers the ability to once again steal and decrypt sensitive information from Google Chrome.
Google told BleepingComputer then that the “cat and mouse” game between info-stealer developers and its engineers was always expected and that they never assumed that their defense mechanisms would be bulletproof.
Instead, with the introduction of App-Bound encryption, they hoped they would finally lay the ground for gradually building a more sound system. Below is Google’s response from the time:
“We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen.
We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.” – A Google spokesperson
Bypass now publicly available
Yesterday, Hagenah made his App-Bound encryption bypass tool available on GitHub, sharing source code that allows anyone to learn from and compile the tool.
“This tool decrypts App-Bound encrypted keys stored in Chrome’s Local State file, using Chrome’s internal COM-based IElevator service,” reads the project description.
“The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future).”
To use the tool, users must copy the executable into the Google Chrome directory usually located at C:Program FilesGoogleChromeApplication. This folder is protected, so users must first gain administrator privileges to copy the executable to that folder.
However, this is commonly easy to achieve as many Windows users, especially consumers, use accounts that have administrative privileges.
In terms of its actual impact on Chrome security, researcher g0njxa told BleepingComputer that Hagenah’s tool demonstrates a basic method that most infostealers have now surpassed to steal cookies from all versions of Google Chrome.
eSentire malware analyst Russian Panda also confirmed to BleepingComputer that Hagenah’s method looks similar to the early bypassing approaches infostealers took when Google first implemented App-Bound encryption in Chrome.
“Lumma used this method – instantiating the Chrome IElevator interface through COM to access Chrome’s Elevation Service to decrypt the cookies, but this can be quite noisy and easy to detect,” Russian Panda told BleepingComputer.
“Now, they are using indirect decryption without directly interacting with Chrome’s Elevation Service”.
However, g0njxa commented that Google has still not caught up, so user secrets stored in Chrome can be easily stolen using the new tool.
In response to the release of this tool, Google shared the following statement with BleepingComputer:
“This code [xaitax’s] requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack,” Google told BleepingComputer.
While it is true admin privileges are required, it does not seem to have impacted information-stealing malware operations, which have only increased over the past six months, targeting users through zero-day vulnerabilities, fake fixes to GitHub issues, and even answers on StackOverflow.
Source: www.bleepingcomputer.com