Google is making a significant change to the way that Chrome handles sensitive data on Windows, introducing app-bound encryption in Chrome 127, which enables the browser to encrypt data tied to an application identity.
The move is designed to help break one of the methods that malware such as infostealers and others uses to gain access to sensitive data such as cookies, passwords, and payment data. When present on a system, infostealers often run with the privileges of the logged in user, which allows the malware the opportunity to access sensitive information that user has the right to access. With the change in Chrome 127, this method won’t work because the data will be encrypted through the app-bound encryption method, which ties the ability to decrypt it to the app, rather than the user.
“In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives. Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS,” Will Harris of the Chrome security team said.
“App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.”
This change only applies to cookies in Chrome 127, but Google plans to extend it to other sensitive data in later versions. Passwords, payment data, and other information will gain the same protection in the near future. Even just the protection of cookies in this way is a major step forward for Chrome and a win for users. Cookie theft is a very common problem and a serious risk for users. Right now, Chrome on Windows uses the Windows data protection API to protect sensitive data at rest, but malicious apps running with the user’s privileges can still get to that information.
“Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software – and more likely to be detected,” Harris said.
The encryption key is also bound to the specific machine, so the key can’t be stolen and used in other places.
App-bound encryption is enabled in Chrome 127 for Windows, which is available now.