New Challenges for Attackers

In a recent update, Chrome has introduced a new security measure that complicates life for attackers. “Since the app-bound service operates with system-level privileges, hackers now need more than just a malicious app to infiltrate a system,” explained Harris. “They must obtain system privileges or inject code into Chrome, actions that legitimate software would never undertake.”

App-Bound Encryption and Its Implications

This new method tightly integrates the encryption key with the system, posing issues for Chrome profiles that migrate between different machines. Companies using roaming profiles should follow best practices, such as configuring the ApplicationBoundEncryptionEnabled policy, to avoid disruptions.

Cookie Protection and Future Plans

The update, rolled out with Chrome version 127 last week, currently safeguards cookies. However, Google has announced plans to extend this protection to passwords, financial data, and other long-term authentication tokens.

Detecting Unauthorized Access

Back in April, Google unveiled a solution that employs a Windows event log called DPAPIDefInformationEvent to reliably detect when browser cookies and passwords are accessed by another application on the same machine.

Security on Other Systems

It’s important to note that Chrome also secures passwords and cookies on macOS and Linux using system services like Keychain and wallets such as kwallet or gnome-libsecret.

Recent Security Enhancements

This update is part of a broader trend of security improvements in Chrome, which includes enhanced Safe Browsing features, Device Bound Session Credentials (DBSC), and automated scans of potentially dangerous files during downloads.

Raising the Stakes for Data Thieves

“App-bound encryption increases the difficulty and visibility of data theft,” Harris noted. “It sets a clear standard for acceptable behavior of other apps on the system.”

The Debate Over Third-Party Cookies

You might be interested in: Play Ransomware Hits Linux with New Variant

This update follows Google’s recent decision not to phase out third-party cookies in Chrome, which has sparked criticism from the World Wide Web Consortium (W3C). The W3C pointed out that third-party cookies enable tracking and data collection that can lead to micro-targeting of political messages, negatively impacting society. They also expressed concerns that this decision could delay the development of effective alternatives to third-party cookies across different browsers.