Google has announced that it is adding a new layer of protection to its Chrome browser through so-called application-bound encryption to prevent information-stealing malware from hijacking cookies on Windows systems.
“On Windows Chrome uses the Data Protection API (DPAPI) that protects data at rest from other system users or cold boot attacks.” — Will Harris of the Chrome Security Team said. “However, DPAPI does not protect against malware capable of executing code on behalf of a logged-in user, which is used by information thieves.”
Application-bound encryption is an improvement over DPAPI in that it weaves the identification data of the application (such as Chrome in this case) into the encrypted data to prevent another application on the system from accessing it when attempting to decrypt it.
“Because the service attached to the application runs with system privileges, attackers need to do more than just get the user to run the malicious application,” Harris said. “Malware now has to gain system privileges or inject code into Chrome, something legitimate software doesn’t have to do.”
Since this method tightly binds the encryption key to the machine, it will not work correctly in environments where Chrome profiles are moved between multiple machines. Organizations that support roaming profiles are encouraged to follow it Best practices and adjust ApplicationBoundEncryptionEnabled politicians.
A change that has come into effect last week with release Chrome 127 only applies to cookies, although Google has said it intends to extend this protection to passwords, payment data and other persistent authentication tokens.
Back in April, the technology giant outlined method that uses a Windows event log type called DPAPIDefInformationEvent to reliably detect access to browser cookies and credentials from another application on the system.
It should be noted that the web browser protects passwords and cookies on Apple macOS and Linux systems with Keychain services and system-provided wallets such as kwallet or gnome-libsecret respectively.
The development comes amid a number of security improvements added to Chrome in recent months, including advanced safe browsingBinding Session Credentials (DBSK), and automated scans when downloading potentially suspicious and malicious files.
“Encryption tied to the program increases the cost of data theft for attackers, and also makes their actions on the system much more noisy,” Harris said. “It helps advocates draw a clear line in the sand about acceptable behavior for other programs in the system.”
It is also Google compliant announcement that it no longer plans to deprecate third-party cookies in Chrome, prompting the World Wide Web Consortium (W3C) to reiterate that they allow tracking and that the decision undermines the progress made so far to make the web work without third-party cookies.
“Tracking and subsequent data collection and mediation can support micro-targeting of political messages, which can have a detrimental impact on society,” it said. said. “The unfortunate downward spiral will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies.”
