News: 1722443706

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Chrome adopts app-bound encryption to stymie cookie-stealing malware

(2024/07/31)


Google says it's enhancing the security of sensitive data managed by Chrome for Windows users to fight the scourge of infostealer malware targeting cookies.

When a cyber baddie gets a hold of a user's session cookies, they can use them to hijack those sessions, log into accounts they don't own, and then do anything the legitimate user could do, perhaps even selling the account on black markets.

Ideally, these cookies expire after a short period of time, in theory limiting the window in which they can be used for account hijacks. That's not always the case, though. Okta's [1]incident last year involving the theft of HAR files, which often contain session cookies, illustrated how serious these attacks can be.

[2]

Starting in Chrome 127, the stable version of which was released last week, the browser now uses app-bound encryption primitives that encrypt data in a way that links it to a specific app.

[3]

[4]

Will Harris, senior software engineer on Chrome's security team, said that Google uses the most secure methods afforded to it by each operating system to safeguard Chrome secrets. For macOS, that's Keychain, and on Linux that's a wallet provided by the OS such as kwallet or gnome-libsecret.

On Windows, Chrome uses the data protection API (DPAPI), which offers strong protection, but not against malicious apps like infostealers from executing code as an authenticated user.

[5]

"App-bound encryption relies on a privileged service to verify the identity of the requesting application," Harris [6]blogged . "During encryption, the app-bound encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.

"Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.

"This makes their actions more suspicious to antivirus software – and more likely to be detected. Our other recent initiatives such as providing event logs for cookie decryption work in tandem with this protection, with the goal of further increasing the cost and risk of detection to attackers attempting to steal user data."

[7]'LockBit of phishing' EvilProxy used in more than a million attacks every month

[8]W3C says Google's cookie climbdown 'undermines' a lot of work

[9]Oops. Apple relied on bad code while flaming Google Chrome's Topics ad tech

[10]Forget security – Google's reCAPTCHA v2 is exploiting users for profit

Over time, Google plans to roll out this same tech to protect other secrets like authentication tokens, [11]passwords , and payment data.

The app-bound encryption supplements existing measures such as device-bound session cookies, which were [12]rolled out in April . These tie a user's session to their device, meaning any stolen cookies being abused on a device that doesn't belong to the genuine user won't benefit attackers at all. They won't work.

[13]

Last week, Google also improved the security of Chrome's downloads UI, offering users more detailed explanations as to why a given download was blocked – a measure designed to make it easier for users to understand what could happen if they choose to run a malicious download, such as an [14]infostealer .

App-bound encryption works a little like how the device-bound session cookies do in that the encryption key associated with the Chrome secret is strongly bound to the user's machine, so business users won't be able to benefit from it if they use multiple devices.

Where device roaming is essential to a given user's job, Google says to follow its best practices [15]guide , or use the [16]ApplicationBoundEncryptionEnabled policy. ®

Get our [17]Tech Resources



[1] https://www.theregister.com/2023/11/29/okta_misjudged_breach_scale/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zqq0CLe24v-rEphUv-@B8gAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqq0CLe24v-rEphUv-@B8gAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqq0CLe24v-rEphUv-@B8gAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqq0CLe24v-rEphUv-@B8gAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html

[7] https://www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/

[8] https://www.theregister.com/2024/07/30/googles_cookie_w3c_criticism/

[9] https://www.theregister.com/2024/07/24/apple_google_topics/

[10] https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/

[11] https://www.theregister.com/2024/07/29/google_password_manager_outage/

[12] https://www.theregister.com/2024/04/03/google_cookie_strategy/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqq0CLe24v-rEphUv-@B8gAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/

[15] https://support.google.com/chrome/a/answer/7349337

[16] https://chromeenterprise.google/policies/#ApplicationBoundEncryptionEnabled

[17] https://whitepapers.theregister.com/



Working to hack everything helps.

Version 1.0

I'm not going to criticize anything but I'd just point out that the statement "Google uses the most secure methods afforded to it by each operating system to safeguard Chrome secrets" is a typical modern anti-malware effort that all the malware creators quickly start to work around. My history of working to protect my company was mostly effective when I worked to hack and access everything that we were using. I'm not a hacker, this is just a educational world for honest users.

Once you learn to hack everything you are using, then you start to know what you need to do to stop it in your world - it's like drinking a beer to relax, not drive around.

Blackjack

[infostealer malware targeting cookies]

Even if the malware cannot find any cookies they can still get a long of information anyway. IP address, country, locating, default language, heck if some thing just keeps ttacks of everything you write they get passwords too.

scourge of infostealer malware

DJV

Sounds like a good description of Google themselves!

QOTD:
"I won't say he's untruthful, but his wife has to call the
dog for dinner."