Chrome’s cookie encryption appears to be easy to break, but Google says it’s by design

One of the updates to the Google Chrome browser last summer introduced a cookie encryption system designed to protect user data. But in just a few months, both cybersecurity experts and attackers managed to bypass it. But Google considers its task completed.

Image source: Growtika / unsplash.com

The ABE (App-Bound Encryption) data encryption feature debuted in July 2024 with the release of Chrome 127. Encryption is performed using a Windows service with system privileges. The tool is designed to prevent viruses from stealing information stored in the browser: credentials for logging into websites, session cookies, and much more. “Because the App-Bound service runs with system privileges, attackers will need to do more than just coax a user into running a malicious application. Now the malicious application must gain system privileges or inject code into Chrome, which legitimate software should not do,” Google explained at the time.

At the end of September, however, it became known that data-stealing malware Lumma Stealer, StealC and many others were able to bypass this function. Google responded that this was expected and that it was good that changes to the browser forced attackers to change their behavior. “This corresponds to the new behavior we are seeing. We continue to work with OS and antivirus developers to try to more reliably detect these new types of attacks, and we also continue to try to strengthen protection against theft of information from our users,” Google said.

Now cybersecurity expert Alexander Hagenah has developed and published on GitHub a tool called Chrome-App-Bound-Encryption-Decryption, designed to bypass Chrome’s encryption mechanisms – in the description, the author noted that the function developed by Google so far only protects cookies, but in the future, it may be used to protect passwords and payment information. Google also reacted calmly to the appearance of the project. “This code requires administrative rights, indicating that we have successfully elevated the access privileges required to successfully carry out this type of attack,” the company said.