Infostealer Developers Claim They Can Bypass Chrome’s Cookie-Theft Protections

Published on September 25, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Several infostealer malware developers claim to have successfully bypassed Google Chrome's App-Bound Encryption, a feature recently implemented to safeguard sensitive data, including cookies and stored passwords, as a recent report says.

This encryption method, introduced in Chrome version 127, leverages a Windows service running with system privileges to protect user data, effectively thwarting infostealer malware that operates under the logged-in user's permissions.

Typically, to breach App-Bound Encryption, malware would need system-level privileges or inject code into Chrome—actions likely to trigger alerts from security tools. 

However, according to security researchers g0njxa and RussianPanda9xx, several infostealer developers have announced successful bypasses for their tools, such as MeduzaStealer, Whitesnake, Lumma Stealer, Lumar (PovertyStealer), Vidar Stealer, and StealC.

Chrome Cookie Theft Protection
Image Source: BleepingComputer

G0njxa confirmed that the latest variant of Lumma Stealer can circumvent Chrome 129's encryption feature. Testing was conducted on a Windows 10 Pro system in a controlled sandbox environment.

Meduza and WhiteSnake implemented their bypass mechanisms over two weeks ago. Lumma followed suit last week, while Vidar and StealC unveiled theirs this week.

Exploitation of Google Chrome Encryption
Image Source: BleepingComputer

Lumma's response to App-Bound Encryption initially involved a temporary solution requiring admin rights. However, they have since developed a method that functions using the logged-in user's permissions. The Lumma Stealer developers assured users that admin privileges are unnecessary for successful cookie theft.

While the specifics of how these bypasses were accomplished remain undisclosed, the creators of Rhadamanthys malware claimed that reversing the encryption took them just 10 minutes.

Chrome's App-Bound Encryption represents a robust step forward in browser security, but as this incident illustrates, the cybersecurity community must remain vigilant and proactive in countering such threats.

Infostealers are one of the main malware types used by threat actors, and Lumma Stealer, StealC, and Vidar Stealer were among the most seen this year.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: