Yet Another Way to Bypass Google Chrome's Encryption Protection

ENDPOINT SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBER RISK NEWS Yet Another Way to Bypass Google Chrome's Encryption Protection Authors of the VoidStealer Trojan uncovered a way to get around Google's App-Bound Encryption (ABE), opening the door to infostealers. Jai Vijayan,Contributing Writer May 6, 2026 3 Min Read SOURCE: IZZUANROSLAN VIA SHUTTERSTOCK In another sign that browsers continue to be a prime attack target, authors of the VoidStealer Trojan have uncovered a way to bypass a Chrome security feature designed to protect session cookies and other sensitive data. It's the latest successful bypass of Chrome's App-Bound Encryption (ABE), introduced by Google in July 2024 and compatible with other Chromium-based browsers that also use ABE, like Microsoft Edge, Opera, Vivaldi, Brave, and others, according to Kaspersky. Google introduced ABE specifically to protect cookie data against infostealers on Windows systems. As the company explains, Google uses the highest level protections the operating system provides — like Keychain services in macOS and system-provided wallets on Linux systems — to encrypt and protect cookies and other sensitive browser data. The problem with the equivalent Data Protection API (DPAPI) feature in Windows is that it does not protect stored data like cookies and passwords from being accessed by malicious applications like infostealers, masquerading as a legitimate, logged in user. ABE aimed to fix the problem by ensuring that only the Chrome application itself could decrypt stored data rather than any process running as the legitimate user. Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia Bypassing Browser Protections "The architects of this feature assumed that to access ABE-protected browser data, an infostealer would either need to escalate its privileges to system-level, or inject malicious code directly into Chrome," Kaspersky researcher Alanna Titterington said. "In theory, this should have made attacking Chrome significantly harder and reduced the effectiveness of mass-market infostealers," she said. In reality however, security researchers and malware authors have found ways to bypass the protection almost as soon as Google implemented the feature in Chrome. The authors of infostealers like Meduza Stealer, Whitesnake, Lumma Stealer, and Lumar have all successfully continued to harvest cookie data and other secrets from Chrome, even after Google implemented ABE.  And researchers have demonstrated ways to do it as well. Titterington pointed to an effort by researcher Alex Hagenah, who showed how an attacker could extract cookies, passwords, payment methods, and tokens from Chrome even with ABE. His technique combined fileless, in-memory execution, process hollowing, direct system calls, and other stealth techniques to access encrypted data as if it were legitimate Chrome activity. Last year, CyberArk disclosed how its researchers developed a new so-called C4 attack technique that allowed them to decrypt Chrome cookies, even as a user with low privileges. Loading... Related:WhatsApp Leaks User Metadata to Attackers A Different Tactic The tactic that the authors of VoidStealer employ is different from previous ABE bypasses, according to Titterington. It targets the moment when Chrome needs to decrypts data and uses it to sign into a website or to access saved credentials, she noted. To do this, Chrome exposes the master key in plaintext in browser memory; VoidStealer authors figured out a way to take advantage of that brief window of opportunity.  To capture that moment the malware attaches to the browser as a debugger, which developers use as a legitimate mechanism for troubleshooting. It then identifies the exact point in the browser's execution where decryption occurs and pauses the process at that instant. This allows the attacker to extract the encryption key directly from memory, effectively bypassing the protections designed to keep it secure. The VoidStealer bypass tactic is another indication of how browsers and browser extension have become a popular target for attackers. With enterprises moving more of their workflows into Web applications, browsers have become repositories of sorts for authentication token, credentials, financial information and a variety of other sensitive data. Related:Two-Factor Authentication Breaks Free From the Desktop About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like ENDPOINT SECURITY 2 Separate Campaigns Probe Corporate LLMs for Secrets by Elizabeth Montalbano, Contributing Writer JAN 12, 2026 ENDPOINT SECURITY Pro-Russian Hackers Use Linux VMs to Hide in Windows by Alexander Culafi NOV 04, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 Editor's Choice CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Loading... Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS