Cybercriminals exploiting cookie theft malware continue to pose a significant threat to the security and well-being of our valued customers. Together, we’ve developed several initiatives in this area, leveraging Protected Shopping features and combining them with Google’s advanced account-based risk detection capabilities to effectively flag instances of stolen cookie misuse. At present, we’re introducing an additional layer of protection to safeguard Windows users from the threat of such malware.
Like different software program applications designed to retailer sensitive data, such as Chrome, it currently secures delicate information like cookies and passwords utilizing the strongest encryption strategies available from the operating system – specifically, APFS on macOS, and a system-provided wallet like KWallet or Gnome Keyring on Linux. On Windows, Chrome leverages the Data Protection API (DPAPI), safeguarding data at rest against unauthorized access by other users on the system and cold boot attacks. Despite these safeguards, the DPAPI remains vulnerable to malicious functions that can execute code, exploiting the trusted relationship between a logged-in user and the application, which is often leveraged by info-stealing malware.
Chrome 127 introduces a novel security feature on Windows, enhancing the Data Protection API (DPAPI) with encryption primitives to fortify user data protection. In a significant security enhancement, Chrome now allows data tied to an app ID to be encrypted, mirroring the functionality of macOS’s Keychain.
The migration of secrets to our new system is imminent, commencing with cookie management in Chrome 127. We plan to enhance password protection, fee details, and persistent authentication tokens in upcoming releases, thereby fortifying defenses against infostealer malware threats.
App-Certain Encryption relies on a trusted service to verify the identity of the requesting app. The App-Certain Encryption service encrypts an app’s ID within the data and subsequently validates its authenticity upon attempted decryption. If another app attempts to decrypt the same data, it must fail.
Because App-Certain operates with system privileges, attackers must go beyond simply convincing users to download and run malicious apps. The malware needs to escalate its system privileges or inject malicious code into Chrome, which is a fundamental breach of security best practices and a red flag for any reputable software developer. This behavior raises further suspicions among antivirus software programs, significantly increasing the likelihood of detection. Our existing initiatives, including cookie decryption, synergize with this safety effort to further increase the cost and risk of detection for attackers attempting to steal consumer data, thereby enhancing overall security.
Since malware can circumvent this safeguard by operating with elevated privileges, enterprise environments that don’t grant customers the capability to run downloaded files as an Administrator are significantly aided by this measure – malware cannot simply request elevation of privilege in these settings and is forced to employ tactics like injection that may be more readily detected by endpoint agents.
App-certain encryption is designed to securely bind the encryption key to a specific machine, limiting its functionality when used across multiple devices through roaming Chrome profiles. Enterprises looking to facilitate roaming profiles are urged to consider current best practices. If circumstances become critical, App-Certain encryption may need to be set up according to the newly established guidelines.
When verifying compatibility, Chrome triggers an event upon encountering a failed verification. An unusual occurrence was detected as ID 257 in the ‘Chrome’ utility log, indicating an anomaly requiring further investigation.
App-Certain Encryption will significantly elevate the cost for attackers to steal sensitive information, making their nefarious activities not only more expensive but also much more conspicuous within the system. Developing guidelines enables organisations to establish a clear boundary of acceptable behaviour across various applications in their ecosystem. To stay ahead of the ever-changing malware landscape, we’re committed to collaborating with our peers in the security community to improve detection capabilities and fortify operating system defenses, including robust app isolation mechanisms that can withstand potential workarounds.
