New bypass punches through Chrome's app-bound encryption for cookie theft

Researchers have demonstrated another technique that defeats Google Chrome’s app-bound encryption, the protection Google introduced to stop infostealers from lifting saved cookies, passwords, and payment data on Windows machines. App-bound encryption was meant to tie decryption to the browser process itself, forcing malware to escalate privileges or run as SYSTEM rather than simply reading the user’s local state. The new bypass shows that barrier is leakier than advertised.

The practical impact lands squarely on the infostealer ecosystem. Families like Lumma, StealC, and Rhadamanthys have spent the past year iterating bypasses every time Google ships a hardening update, and each new technique gets folded into commodity malware-as-a-service kits within days. That keeps session-cookie theft cheap and reliable, which in turn keeps fueling the account-takeover and post-exploitation pipeline that downstream ransomware crews depend on.

The broader signal is that local-only protections on a general-purpose OS will keep losing this arms race. As long as malware running as the logged-in user can reach the same surfaces the browser does, defenders should assume browser-stored secrets are recoverable and prioritize controls further up the stack: hardware-bound credentials, short-lived tokens, device posture checks, and detection on anomalous cookie reuse.