Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in place in this area, including Chrome’s download protection with Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection to flag the use of stolen cookies. Today, we’re announcing another layer of protection to make Windows users safer from this type of malware.

Like other software that needs to store secrets, Chrome currently protects sensitive data like cookies and passwords using the strongest techniques the operating system provides us with – on macOS these are the Keychain services, and on Linux we use a system-provided wallet like kwallet or gnome-libsecret. On Windows, Chrome uses the Data Protection API (DPAPI) which protects data at rest from other users on the system or cold boot attacks. However, DPAPI does not protect against malicious applications that can execute code as the logged-in user – which is something infostealers take advantage of.

In Chrome 127, we’re introducing a new protection on Windows that improves DPAPI by Application-related (App-related) Encryption primitives. Instead of allowing an app running as a signed-in user to access this data, Chrome can now encrypt data tied to the app’s identity, similar to how Keychain works on macOS.

We’re migrating every type of secret to this new system, starting with cookies in Chrome 127. In future releases, we plan to extend this protection to passwords, payment information, and other persistent authentication tokens, to further protect users from infostealer malware.

How it works

App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the identity of the application into the encrypted data and then checks whether it is valid when decryption is attempted. If another application on the system attempts to decrypt the same data, it will fail.

Because the App-Bound service runs with system privileges, attackers must do more than just convince a user to run a malicious app. Now the malware must gain system privileges or inject code into Chrome, something legitimate software shouldn’t have to do. This makes their actions more suspicious to antivirus software – and more likely to be detected. Our other recent initiatives, like providing event logs for cookie decryption, work in tandem with these protections, with the goal of further increasing the cost and risk of detection for attackers attempting to steal user credentials.

Business considerations

Because malware can bypass this protection by running with elevated privileges, corporate environments that do not give their users the ability to run downloaded files as administrators are particularly likely to benefit. In these environments, malware cannot simply request elevated privileges and is forced to use techniques such as injection that are more easily detected by endpoint agents.

App-Bound Encryption strongly binds the encryption key to the machine, so it will not function correctly in environments where Chrome profiles roam between multiple machines. We encourage enterprises that want to support roaming profiles to follow current best practices. If needed, App-Bound Encryption can be configured using the new ApplicationBoundEncryptionEnabled policy.

To further help detect any incompatibilities, Chrome emits an event when a failed authentication occurs. The event is ID 257 of the resource ‘Chrome’ in the Application log.

Conclusion

App-Bound Encryption increases the cost of data theft for attackers and also makes their actions much louder on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system. As the malware landscape continues to evolve, we look forward to continuing to collaborate with others in the security community to improve detections and harden OS defenses, such as stronger app isolation primitives, for all bypasses.