Google Chrome AppBound Cookie Encryption Security Bypass Vulnerability

A security bypass vulnerability has been identified in Google Chrome's AppBound cookie encryption mechanism. This issue arises from inadequate validation of COM server paths during inter-process communication. A local low-privileged attacker can exploit this vulnerability by hijacking the COM class identifier (CLSID) registration used by Chrome's elevation service, redirecting it to a non-existent or malicious binary. As a result, Chrome defaults to the older cookie encryption method, which is only protected by user-DPAPI. This flaw undermines the intended protections of the AppBound encryption design, allowing cookie decryption by any user-context malware without requiring SYSTEM-level access. While this vulnerability has been confirmed in Google Chrome with AppBound Encryption enabled, other Chromium-based browsers could be affected if they use similar COM-based encryption methods.

Impact

Exploitation of this vulnerability allows for cookie theft from Chromium-based browsers, bypassing the enhanced security measures introduced by Google in July 2024.

Reproduction

The vulnerability can be reproduced by hijacking the COM class identifier for Chrome's elevation service. This can be done by registering a COM server that Chrome will call to decrypt cookies. Once the COM server is hijacked, Chrome will send requests to the malicious server, which can then manipulate the encryption keys used for cookie decryption. Alternatively, the elevation service can be pointed to a non-existent binary, causing Chrome to revert to the old encryption method, which is vulnerable to low-privileged malware.

Remediation

Google has acknowledged the vulnerability and is working on a fix. A partial solution is available but disabled by default. Users can also disable AppBound Encryption via Group Policy.