Google has unveiled a new security feature for its Chrome browser, called App-Bound Encryption, which targets the prevention of information-stealing malicious software from attempting to access cookies on Windows operating systems.
According to Will Harris from the Chrome Security Team, Chrome uses the Data Protection API (DPAPI) to protect data at rest from other users or cold boot attacks on Windows systems. However, DPAPI does not provide protection against malicious applications that execute code as the logged-in user, leaving it vulnerable to info-stealing attacks.
App-bound encryption is a security measure that improves the Data Protection API (DPAPI) by embedding the identity of an application, such as Chrome, within the encrypted data. This inclusion ensures that other applications on the system are unable to access the data when attempting to decrypt it. Harris noted that due to the app-bound service operating with system privileges, potential attackers would need to elevate their privileges or inject code into Chrome in order to bypass this security feature; this is a highly unlikely scenario for a legitimate software.
The encryption key's tight binding to the machine prevents this method from being compatible with environments where Chrome profiles move between multiple machines. Organizations employing roaming profiles are recommended to implement best practices and set up the ApplicationBoundEncryptionEnabled policy.
This recent security enhancement, implemented in Chrome 127, currently focuses solely on safeguarding cookies. Nevertheless, Google intends to extend this protection to encompass passwords, payment information, and additional authentication tokens in the future.
In April, Google outlined a method utilizing a Windows event log type, DPAPIDefInformationEvent, to identify instances of other applications on the system accessing browser cookies and credentials.
For macOS and Linux systems, Chrome ensures the security of passwords and cookies by leveraging Keychain services and system-provided wallets like kwallet or gnome-libsecret.
This development comes after numerous security enhancements introduced in Chrome, such as enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated checks for potentially malicious downloads. Harris emphasized that app-bound encryption raises the complexity and detectability of data theft efforts, assisting security teams in defining explicit limits for acceptable actions by other apps within the system.
Furthermore, it should be noted that Google recently made a decision to not deprecate third-party cookies in Chrome. This move has faced criticism from the World Wide Web Consortium (W3C). The W3C expressed concern about the continued use of third-party cookies as they enable tracking, which can have negative implications for society, particularly in terms of supporting micro-targeted political messages. Moreover, the W3C warned that this decision could potentially impede the progress in developing viable alternatives to third-party cookies for various web browsers.