OP 30 October, 2024 - 07:13 PM
Information security expert Alexander Hagenah has published a tool called Chrome-App-Bound-Encryption-Decryption to bypass the new App-Bound Encryption security feature in Chrome, which is designed to protect confidential data, including cookies.
https://x.com/xaitax/status/1850500705074700298
Recall that the App-Bound Encryption feature was introduced last summer, with the release of Chrome 127. As the browser developers explained, it is designed to encrypt cookies and saved passwords using a Windows service that works with system privileges. That is, it prevents malicious programs running with the rights of a logged-in user from stealing secrets stored in Chrome. After all, in theory, malware would need system privileges to bypass such protection, and it will not be possible to obtain them unnoticed.
https://security.googleblog.com/2024/07/...es-on.html
After the network started talking about the fact that malware had learned to bypass App-Bound Encryption, Google representatives told the media that this was expected. The company did not intend to create "bulletproof" protection, and App-Bound encryption was only supposed to lay the foundation for the gradual creation of a more secure system.
https://xakep.ru/2024/09/25/app-bound-en...on-bypass/
"We are aware that the new protection has caused a stir among infostealer developers. As we wrote in the blog, we expect that this protection will change the behavior of attackers towards more visible attack methods, including injections and memory scraping. This is exactly what we are seeing now," Google reported at the time.
Now that Hagena has publicly released his App-Bound Encryption bypass solution on GitHub , anyone can examine and compile the tool.
https://github.com/xaitax/Chrome-App-Bou...Decryption
“This tool decrypts App-Bound Encryption keys stored in Chrome’s Local State file using Chrome’s internal COM-based IElevator service,” the project’s description reads. “The tool allows you to extract and decrypt the keys that Chrome protects with App-Bound Encryption to prevent access to protected data such as cookies, passwords, and payment data.”
As reported by Bleeping Computer, citing a security researcher known as g0njxa, Hagena’s tool uses a basic bypass method for App-Bound Encryption that most infostealers have already surpassed. However, this method still works, as Chrome developers have not yet released patches.
This information is confirmed by analysts from the company eSentire, according to whom, Hagena's method is similar to early methods of bypassing protection that were used by attackers when App-Bound Encryption was first introduced.
"[The] Lumma stealer used this method - instantiating the Chrome IElevator interface via COM to access the Chrome Elevation Service to decrypt cookies, but it is quite "noisy" and easily detected. Now [the hackers] use indirect decryption, without interacting directly with the Chrome Elevation Service," eSentire says.
Google developers told the publication that they see nothing wrong with the release of such a tool. Since it requires administrator rights to operate, the company believes that they have "successfully increased the level of access required for effective attacks of this type."
https://xakep.ru/2024/10/29/chrome-app-b...ecryption/
https://x.com/xaitax/status/1850500705074700298
Recall that the App-Bound Encryption feature was introduced last summer, with the release of Chrome 127. As the browser developers explained, it is designed to encrypt cookies and saved passwords using a Windows service that works with system privileges. That is, it prevents malicious programs running with the rights of a logged-in user from stealing secrets stored in Chrome. After all, in theory, malware would need system privileges to bypass such protection, and it will not be possible to obtain them unnoticed.
https://security.googleblog.com/2024/07/...es-on.html
After the network started talking about the fact that malware had learned to bypass App-Bound Encryption, Google representatives told the media that this was expected. The company did not intend to create "bulletproof" protection, and App-Bound encryption was only supposed to lay the foundation for the gradual creation of a more secure system.
https://xakep.ru/2024/09/25/app-bound-en...on-bypass/
"We are aware that the new protection has caused a stir among infostealer developers. As we wrote in the blog, we expect that this protection will change the behavior of attackers towards more visible attack methods, including injections and memory scraping. This is exactly what we are seeing now," Google reported at the time.
Now that Hagena has publicly released his App-Bound Encryption bypass solution on GitHub , anyone can examine and compile the tool.
https://github.com/xaitax/Chrome-App-Bou...Decryption
“This tool decrypts App-Bound Encryption keys stored in Chrome’s Local State file using Chrome’s internal COM-based IElevator service,” the project’s description reads. “The tool allows you to extract and decrypt the keys that Chrome protects with App-Bound Encryption to prevent access to protected data such as cookies, passwords, and payment data.”
As reported by Bleeping Computer, citing a security researcher known as g0njxa, Hagena’s tool uses a basic bypass method for App-Bound Encryption that most infostealers have already surpassed. However, this method still works, as Chrome developers have not yet released patches.
This information is confirmed by analysts from the company eSentire, according to whom, Hagena's method is similar to early methods of bypassing protection that were used by attackers when App-Bound Encryption was first introduced.
"[The] Lumma stealer used this method - instantiating the Chrome IElevator interface via COM to access the Chrome Elevation Service to decrypt cookies, but it is quite "noisy" and easily detected. Now [the hackers] use indirect decryption, without interacting directly with the Chrome Elevation Service," eSentire says.
Google developers told the publication that they see nothing wrong with the release of such a tool. Since it requires administrator rights to operate, the company believes that they have "successfully increased the level of access required for effective attacks of this type."
https://xakep.ru/2024/10/29/chrome-app-b...ecryption/
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
![[Image: PeAsULK.gif]](https://i.imgur.com/PeAsULK.gif)