Chrome Introduces App-Bound Encryption to Combat Cookie-Stealing Malware

Windows Users Now Benefit from macOS-Level Security for Sensitive Data

Google is enhancing the security of sensitive data managed by Chrome for Windows users to combat infostealer malware targeting cookies. Infostealers can exploit session cookies to hijack accounts, potentially gaining unauthorized access and even selling accounts on black markets. Although cookies ideally expire after a short period to limit this risk, breaches like Okta’s incident involving stolen HAR files show that these attacks can be severe.

With the release of Chrome 127, Google is introducing app-bound encryption. This method encrypts data in a way that ties it to a specific app, ensuring that only the authorized application can decrypt it. If another app tries to access the encrypted data, the attempt will fail.

Will Harris, a senior software engineer on Chrome's security team, explained that Google leverages the highest security methods available for each operating system to protect Chrome’s secrets. On macOS, this involves Keychain, and on Linux, it uses system wallets like kwallet or gnome-libsecret. For Windows, Chrome utilizes the Data Protection API (DPAPI), which offers strong protection but is not immune to threats from malicious apps.