The newest Chrome update, version 127, now has a security feature that protects important data from harmful software. With this change, unauthorized access to information like cookies, passwords, and payment data is blocked. This is done by encoding the data through a method linked to the app, not the user. Malware won’t be able to get to this information anymore because it’s encrypted, and only the specific app can decode it.
This upgrade involves App-Bound Encryption, which means only specific apps can access encrypted data instead of any app running as the logged-in user. The change is similar to how the Keychain operates on macOS, as Will Harris of the Chrome security team explains.
But what incited this change? Let’s delve deeper into why the previous data encryption system needed a makeover.
Windows DPAPI Explained: Key Functions and Encoding Mechanisms
Right now on Windows, Chrome uses a system called the Data Protection API (DPAPI) to keep data safe when it’s not being used. The system makes it easier to encrypt and decrypt data without needing special scrambling methods.
There are two main functions for keeping data safe:
1. CryptProtectData
2. CryptUnProtectData.
CryptProtectData takes the data you want to keep safe and gives you back a piece of data with the information encrypted. On the other hand, CryptUnProtectData takes the encrypted data and gives you back the original, unencrypted information—if everything goes smoothly.
On top of these, DPAPI also includes three other functions:
1. CryptProtectMemory
2. CryptUnprotectMemory
3. CryptUpdateProtectedState
CryptProtectMemory and CryptUnprotectMemory are meant to keep data safe while it’s being used in a computer process. This is to make sure sensitive data doesn’t get left unencrypted.
DPAPI uses a password to keep data safe. However, it doesn’t protect against apps that can run code as the user who’s using the computer. This makes it open to attacks that try to steal information.
Chrome 127 has a new way of keeping data safe that is better than DPAPI. It includes the app’s identity, like Chrome, in the encrypted data. This makes it hard for other apps on the computer to access the data when they’re trying to decrypt it.
Chrome’s New Security Features Aim to Prevent Cookie-Based Account Takeovers
Google has improved the security of sensitive data handled by Chrome for Windows users to combat infostealer malware that targets cookies. When a cybercriminal gains access to a user’s session cookies, they can exploit them to take over those sessions, log into unauthorized accounts, and do anything the legitimate user could, including selling the account on the black market.
Ideally, these cookies should expire after a short period, limiting the window of opportunity for account hijacking. However, that’s only sometimes the case. The Okta incident last year, involving the theft of HAR files containing session cookies, highlighted the severity of these attacks.
Because the app-bound service runs with system privileges, attackers need to gain system privileges or inject code into Chrome, making their actions more suspicious to antivirus software and increasing the likelihood of detection. Other initiatives work with this protection, making it difficult and risky for attackers trying to steal user data.
Google plans to extend this technology to protect other sensitive data, such as passwords and payment information. Additionally, device-bound session cookies, introduced in April, prevent stolen cookies from being used on unauthorized devices.
Chrome 127 Enhances Security, Making Malware Attacks More Difficult
The app’s service has special privileges, so attackers need more than just getting a user to run a bad app. From now on, the malware will have to get special privileges or put code into Chrome. Legitimate software doesn’t do this.
Remember that this method strongly ties the encoding key to the machine. This means it may not work properly if you use Chrome profiles on different machines. If your organization uses roaming profiles, it’s best to set up the ApplicationBoundEncryptionEnabled policy to follow best practices.
Currently, the recent change to the new Chrome 127 only affects cookies. However, Google plans to expand this security measure to include passwords, payment information, and other types of persistent authentication tokens in the future.
In April, the tech company introduced a new way to detect unauthorized access to browser login credentials and cookies from an external application on a Windows computer. This method uses a Windows event log type called DPAPIDefInformationEvent.
Keychain and Wallet Protection for macOS and Linux
It’s worth noting that passwords and cookies in web browsers are protected differently in Apple macOS and Linux systems. In these systems, Keychain services and system-provided wallets like KWallet are used to safeguard this information.
Chrome recently made several security improvements, including better Safe Browsing, Device Bound Session Credentials (DBSC), and automatic scans for potentially harmful downloads. According to Harris, using app-bound scrambling makes it harder for attackers to steal data and easier for defenders to see what other apps are doing on the system.
The decision to Retain Third-Party Cookies Draws W3C Criticism
In addition, Google announced that it will no longer get rid of third-party cookies in Chrome. This led the World Wide Web Consortium (W3C) to say that cookies enable tracking and that this decision undoes the progress made in making the web work without them.
Collecting and tracking data can lead to targeting political messages specifically to individuals, which could have negative effects on society. In addition, not finding effective alternatives to third-party cookies promptly, could slow down efforts to make websites compatible with different web browsers.
Closing Remarks on App-Bound Encryption
App-bound encryption promises to be or become a deterrent to data theft, raising the difficulty and risk for attackers. Furthermore, this type of code scrambling raises the visibility of hackers’ actions on the system. This technology also determines acceptable behavior by other apps on the system, signaling a new era of increased autonomy by the user. Since the threat of malware will continue to evolve, this focus on collaborating with the security community can only prove to be highly beneficial. Enhancing detection capabilities and fortifying operating system defenses is imperative with the rise of AI and its fast expansion as it demands stronger app isolation measures to mitigate any potential bypasses.
