Google enhances Chrome security on Windows with app-bound encryption to fight cookie theft
Google has announced a new security enhancement for Windows users to combat cookie theft infostealer malware. Currently, Chrome secures sensitive data such as cookies and passwords using the strongest techniques available on each OS: Keychain services on macOS, system-provided wallets like kwallet or gnome-libsecret on Linux, and the Data Protection API (DPAPI) on Windows. While DPAPI protects data at rest from other users and cold boot attacks, it falls short against malicious applications running as the logged-in user.
With Chrome 127, Google introduces Application-Bound (App-Bound) Encryption primitives on Windows, improving upon DPAPI. This new layer ties encrypted data to the app's identity, similar to macOS's Keychain, preventing unauthorized access by other applications running under the same user account. The migration to this new system begins with cookies in Chrome 127, with future plans to extend this protection to passwords, payment data, and other persistent authentication tokens, bolstering defenses against infostealer malware.
"Jul 23, 2024 — Chrome 127 is starting to roll out on July 23rd, 2024, with CSS font-size-adjust, keyboard focusable scroll containers, and there's plenty ..."
Great change. Finally. It's a wonder why nothing has been done sooner, especially with Infostealers running rampant even on Google's own search engine, stealing data from Google's own browser, and affecting Google Accounts. At least they're not deaf; something is being done, and better late than never.
Though this probably is bad news for legitimate software like YT-DLP & Gallery-DL that have options to allow it to pull cookies directly from browser instead of using complicated options, confusing config files, and long-winded cookie exporting steps (some even advise using 3rd party extensions to export cookies, which doesn't sound good.)