The resonant tool appeared on GitHub.
Cybersecurity specialist Alexander Hagena has published a tool called Chrome-App-Bound-Encryption-Decryption, which allows you to bypass Google's recently implemented Application-Bound (App-Bound) encryption system and extract users' stored credentials from the Chrome browser.
In July 2023, Google introduced the App-Bound Encryption protection mechanism in Chrome version 127. The system encrypts cookies using a Windows service that runs with SYSTEM permissions. The main purpose of the innovation was to protect confidential information from infostealers, which usually function with the rights of an ordinary user. According to the developers, without obtaining SYSTEM privileges, the malware could not decrypt the stolen cookies.
However, by September, the attackers had found ways to bypass the new protection system. Google representatives then told BleepingComputer that the confrontation between the malware developers and the company's engineers was expected. Google has never considered the security mechanisms to be completely invulnerable, but has seen App-Bound as the basis for creating a stronger security system.
Hagena hosted his App-Bound crawl tool on GitHub, making the source code available to everyone. According to the developer, the program decrypts App-Bound keys stored in the Local State file of the Chrome browser using the IElevator internal COM service.
For the tool to work, you need to copy the executable file to the Google Chrome directory, usually located at C:\Program Files\Google\Chrome\Application. The folder is secured, so users need administrative privileges. Experts note that it is quite easy to get administrative privileges, especially for home Windows users.
Researcher g0njxa told BleepingComputer that the published tool demonstrates a basic method that most infostealers have already surpassed for stealing cookies from all versions of Google Chrome. Malware analyst Russian Panda confirmed that Hagena's method is similar to the early ways of bypassing protection used after the initial implementation of App-Bound encryption.
Source
Cybersecurity specialist Alexander Hagena has published a tool called Chrome-App-Bound-Encryption-Decryption, which allows you to bypass Google's recently implemented Application-Bound (App-Bound) encryption system and extract users' stored credentials from the Chrome browser.
In July 2023, Google introduced the App-Bound Encryption protection mechanism in Chrome version 127. The system encrypts cookies using a Windows service that runs with SYSTEM permissions. The main purpose of the innovation was to protect confidential information from infostealers, which usually function with the rights of an ordinary user. According to the developers, without obtaining SYSTEM privileges, the malware could not decrypt the stolen cookies.
However, by September, the attackers had found ways to bypass the new protection system. Google representatives then told BleepingComputer that the confrontation between the malware developers and the company's engineers was expected. Google has never considered the security mechanisms to be completely invulnerable, but has seen App-Bound as the basis for creating a stronger security system.
Hagena hosted his App-Bound crawl tool on GitHub, making the source code available to everyone. According to the developer, the program decrypts App-Bound keys stored in the Local State file of the Chrome browser using the IElevator internal COM service.
For the tool to work, you need to copy the executable file to the Google Chrome directory, usually located at C:\Program Files\Google\Chrome\Application. The folder is secured, so users need administrative privileges. Experts note that it is quite easy to get administrative privileges, especially for home Windows users.
Researcher g0njxa told BleepingComputer that the published tool demonstrates a basic method that most infostealers have already surpassed for stealing cookies from all versions of Google Chrome. Malware analyst Russian Panda confirmed that Hagena's method is similar to the early ways of bypassing protection used after the initial implementation of App-Bound encryption.
Source
