Low-privileged malware can still steal Chrome cookies, despite Google’s latest defenses.
In mid-2024, Google introduced AppBound Cookie Encryption, a major shift in how Chrome protects browser cookies from theft. The goal: block infostealers that operate with user-level privileges.
The technique, praised as a meaningful upgrade, encrypted cookie keys twice,once using the user’s credentials, and again using the SYSTEM account’s DPAPI. It worked, for a while.
However, researchers at CyberArk Labs have now uncovered a path around it. A pair of novel attacks—one using COM hijacking, the other a Padding Oracle Attack, allowed the team to crack cookie encryption as a low-privileged user. The most powerful of the two, dubbed C4 (Chrome Cookie Cipher Cracker), turns Chrome’s own security mechanism into a decryption oracle.
The attack has implications beyond cookies. According to researchers, it opens the door to cracking any SYSTEM-DPAPI encrypted blob in Windows, provided similar setups are in place.
How Chrome Tried to Secure Cookies
Before AppBound, cookies in Chrome were protected by a single layer: a key encrypted with the Windows Data Protection API (DPAPI) under the user’s credentials. Malware running as that same user could decrypt the cookies. Simple. Dangerous.
AppBound changed that.
Chrome now encrypts cookie keys in three steps:
- First with User-DPAPI (as before).
- Then again with SYSTEM-DPAPI.
- It then stores metadata that binds the decryption request to the original executable path of Chrome.
To decrypt, Chrome calls an elevation service installed alongside the browser. The service runs as SYSTEM and returns the decrypted key only if the request comes from the legitimate Chrome binary.
At a glance, it looks solid. But there were gaps.
Attack One: COM Hijacking
Since Chrome’s elevation service is a COM server, researchers tested whether it could be hijacked. It could.
By modifying registry keys in the user’s HKCU hive, a fake path can redirect Chrome’s COM call to a non-existent DLL.
Chrome then falls back to the old cookie encryption method. Malware can sit silently, waiting for the user to browse, then pounce on fresh cookies encrypted with the old method.
It’s not elegant. And it takes time. But it works without admin rights.
Attack Two: Padding Oracle Crack
The second attack is more surgical. It exploits quirks in how DPAPI uses AES-CBC encryption. Normally, this mode is safe. But it’s vulnerable to padding oracle attacks when an attacker can repeatedly send modified ciphertext and observe whether padding errors occur.
In this case, the oracle wasn’t a leaked message or an exception, it was Windows Event Logs.
Researchers modified encrypted blobs and watched for different error types in the event viewer. Valid padding but invalid MAC was one kind of error, invalid padding, another.
Bit by bit, they decrypted the outer encryption layer. The inner one, protected by the user-level DPAPI, was trivial to unwrap.
The final step was reversing Google’s post-processing of the cookie key, which was a mix of hardcoded keys and XORs. From there, actual cookies fell easily.
Why It Matters
C4 isn’t just a Chrome problem. The elevation service’s design (letting low-privileged users request SYSTEM-level decryption) can be abused elsewhere. The team found similar SYSTEM-encrypted blobs in the Windows Credential Manager.
One example: Task Scheduler stores credentials in SYSTEM-DPAPI blobs. In theory, the same padding oracle method could decrypt them, though practical use would be limited. For the scheduler, each decryption attempt would require a reboot, a noisy and inefficient route.
Still, the research points to a broader issue: layering old security APIs in new ways can backfire.
The report also highlights risks in relying on AES-CBC, still one of the most widely used encryption modes. “It might be time to consider CBC insecure,” the researchers noted, echoing previous deprecations in TLS after similar attacks.
Disclosure and Fixes
CyberArk disclosed the attacks to Google and Microsoft in late 2024 and early 2025. Google has partially mitigated the padding oracle flaw in Chrome, though the fix is disabled by default. A full patch is planned. Microsoft, meanwhile, declined to fix the issue, citing low practical risk, and no CVEs were issued.
Getting Preoccupied With the ‘What-Ifs”
James McQuiggan, Security Awareness Advocate at KnowBe4, said: “With this style of attack, cybersecurity practitioners and leaders can often become preoccupied with the “what ifs” of a theoretical exploit and forget to ask, “Would this work in the wild?” Just because you can doesn’t mean someone will. This attack requires precision, patience, and specific conditions. It’s not the kind of thing your average threat actor is going to pick from the toolbox.”
He added that we all recognise that cybersecurity involves striking a balance between risk, opportunity, and likelihood. “It’s not about eliminating every theoretical hole, but about managing the ones most likely to be exploited. Security teams should stay focused on what matters in threat intelligence, which includes high-probability, high-impact threats that target and attack organisations regularly.”
Infostealers on the Rise
“Infostealer infections continue to increase. It was the most popular malware type in 2024 and even after significant takedowns new malware continues to emerge,” commented Daniel Dos Santos, Senior Director, Head of Research at Forescout”
“Any security feature that hinders their functioning is welcome and a vulnerability there could be worrying,” Dos Santos Added. “However, this is unlikely to be exploited at scale by infostealer malware given the complexity of the attack, the resources involved, the time it takes to decrypt cookies and the fact that the attack would generate much more “noise” for anti-malware systems to pick up on, potentially defeating the benefits of exploiting the vulnerability. This is good news for defenders, but it’s important to remain vigilant about innovations in infostealers, such as delivery via ClickFix attacks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.