Google Chrome AppBound Cookie Encryption Bypass Vulnerability

A vulnerability allowing cookie encryption bypass has been identified in Google Chrome's AppBound mechanism. This issue arises from weak path validation logic in the elevation service, which is responsible for decrypting cookies. When Chrome encrypts a cookie key, it includes the executable path of the Chrome process as validation metadata. However, due to inconsistencies in path canonicalization, an attacker can impersonate Chrome by naming a binary 'chrome.exe' and placing it in a similar directory. This exploitation allows retrieval of the encrypted cookie key, enabling access to cookies meant to be restricted to the Chrome process. This vulnerability has been confirmed in Google Chrome versions 127 to 129 with AppBound Encryption enabled. Other Chromium-based browsers may also be affected if they use similar COM-based encryption methods.

Impact

Exploitation of this vulnerability allows low-privileged processes to access cookies encrypted by Chrome, bypassing the intended restrictions and potentially facilitating cookie theft.

Reproduction

The vulnerability can be reproduced by creating a binary named 'chrome.exe' and placing it in a directory that mimics the Chrome executable path. Once this binary is in place, it can send a COM request to the elevation service to decrypt the cookie key, effectively bypassing the path validation.

Remediation

Google has acknowledged the vulnerability and is working on a fix. A partial solution is available but disabled by default. Users can monitor for future updates.