Nice Cookie Encryption Scheme Google … Shame If Something Happened To It
The Cookie Jar Is Wide Open Again
Google’s cookie encryption was a decent idea, a way to ensure that if a bad actor managed to get their fingers in your cookie jar, they wouldn’t be able to savour a cookie that was securely encrypted. You are probably asking the obvious question; unfortunately data harvesting is far too lucrative to be able to ban cookies altogether. The security of our personal browsing habits apparently pales when compared to the income of marketing companies and their customers. Instead we have to depend on our cookies being protected from being accessed by those who shouldn’t be able to grab them.
Sadly, malware writers have already figured out how to get back in the cookie jar without needing to hit Google to get the key, and now a security researcher has revealed the process by which they do that. It’s rather simple, grab the App-Bound encryption bypass tool from GitHub and drop it into the Google Chrome directory on a target computer which you have admin access to. Run it and it can then decrypt any of the Chrome cookies on that computer.
So much for that brief moment of protection via cookie encryption.
The goal was to protect sensitive information from infostealer malware, which runs with the permissions of the logged user, making it impossible for it to decrypt stolen cookies without first gaining SYSTEM privileges and potentially raising alarms in security software.
More Tech News From Around The Web
- YouTube Tests New Homepage That Hides Video Upload Date, View Count @ Slashdot
- TSMC reportedly cuts off RISC-V chip designer linked to Huawei accelerators @ The Register
- Apple’s first Mac mini redesign in 14 years looks like a big aluminum Apple TV @ Ars Technica
- Apple quietly admits 8GB isn’t enough in 2024, M4 iMac to ship with 16GB as standard @ The Register
- iFixit to the rescue: McDonald’s workers can rescue their own ice cream machines @ The Register
- Google accused of shadow campaigns redirecting antitrust scrutiny to Microsoft @ Ars Technica
- Linus Torvalds Dismisses AI Industry as ‘90% Marketing’ @ Slashdot
