In another sign that browsers continue to be a prime attack target, authors of the VoidStealer Trojan have uncovered a way to bypass a Chrome security feature designed to protect session cookies and other sensitive data.
It’s the latest successful bypass of Chrome’s App-Bound Encryption (ABE), introduced by Google in July 2024 and compatible with other Chromium-based browsers that also use ABE, like Microsoft Edge, Opera, Vivaldi, Brave, and others, according to Kaspersky.
Google introduced ABE specifically to protect cookie data against infostealers on Windows systems. As the company explains, Google uses the highest level protections the operating system provides — like Keychain services in macOS and system-provided wallets on Linux systems — to encrypt and protect cookies and other sensitive browser data. The problem with the equivalent Data Protection API (DPAPI) feature in Windows is that it does not protect stored data like cookies and passwords from being accessed by malicious applications like infostealers, masquerading as a legitimate, logged in user. ABE aimed to fix the problem by ensuring that only the Chrome application itself could decrypt stored data rather than any process running as the legitimate user.
Bypassing Browser Protections
“The architects of this feature assumed that to access ABE-protected browser data, an infostealer would either need to escalate its privileges to system-level, or inject malicious code directly into Chrome,” Kaspersky researcher Alanna Titterington said. “In theory, this should have made attacking Chrome significantly harder and reduced the effectiveness of mass-market infostealers,” she said.
In reality however, security researchers and malware authors have found ways to bypass the protection almost as soon as Google implemented the feature in Chrome. The authors of infostealers like Meduza Stealer, Whitesnake, Lumma Stealer, and Lumar have all successfully continued to harvest cookie data and other secrets from Chrome, even after Google implemented ABE.
And researchers have demonstrated ways to do it as well. Titterington pointed to an effort by researcher Alex Hagenah, who showed how an attacker could extract cookies, passwords, payment methods, and tokens from Chrome even with ABE. His technique combined fileless, in-memory execution, process hollowing, direct system calls, and other stealth techniques to access encrypted data as if it were legitimate Chrome activity. Last year, CyberArk disclosed how its researchers developed a new so-called C4 attack technique that allowed them to decrypt Chrome cookies, even as a user with low privileges.
A Different Tactic
The tactic that the authors of VoidStealer employ is different from previous ABE bypasses, according to Titterington. It targets the moment when Chrome needs to decrypts data and uses it to sign into a website or to access saved credentials, she noted. To do this, Chrome exposes the master key in plaintext in browser memory; VoidStealer authors figured out a way to take advantage of that brief window of opportunity.
To capture that moment the malware attaches to the browser as a debugger, which developers use as a legitimate mechanism for troubleshooting. It then identifies the exact point in the browser’s execution where decryption occurs and pauses the process at that instant. This allows the attacker to extract the encryption key directly from memory, effectively bypassing the protections designed to keep it secure.
The VoidStealer bypass tactic is another indication of how browsers and browser extension have become a popular target for attackers. With enterprises moving more of their workflows into Web applications, browsers have become repositories of sorts for authentication token, credentials, financial information and a variety of other sensitive data.
