Google Enhances Chrome Security on Windows with MacOS-Like Update to Combat Cookie Theft Malware

When Google recognizes a significant vulnerability in its software and announces an update making it more “macOS-like,” it’s a noteworthy development. Given that the software in question is Chrome, the primary interface for Google’s billion-dollar marketing engine on Microsoft Windows, this is indeed significant.

“Cybercriminals using cookie theft infostealer malware continue to endanger our users’ safety and security,” Will Harris from Chrome’s Security Team wrote on Tuesday. “Today, we’re introducing an additional layer of protection to make Windows users safer from this type of malware.”

This update also has a key focus on cookies. Google has successfully pushed cookies—specifically the tracking variety—into the spotlight this month. However, this update targets session cookies that authenticate your identity across apps without requiring repeated logins.

“Chrome currently secures sensitive data like cookies and passwords using the strongest techniques available on the OS,” Harris explains. “On Windows, Chrome uses the Data Protection API (DPAPI), which protects data at rest from other users on the system or cold boot attacks. However, DPAPI doesn’t defend against malicious applications capable of executing code as the logged-in user, which infostealers exploit.”

Chrome’s new proposal is “a new protection on Windows” that updates DPAPI to introduce “application-bound” encryption. This means “Chrome [on Windows] will encrypt data tied to app identity, similar to how the Keychain operates on macOS.” This new security feature will protect cookies starting with Chrome 127, and Google plans to extend this protection to passwords, payment data, and other persistent authentication tokens in future releases, further shielding users from infostealer malware. While not a catch-all solution, these measures will make attacks more difficult and easier to detect.

Session cookie theft is a significant issue for Chrome, and there are initiatives to bind those cookies to device IDs to prevent their use on unauthorized devices. However, if malware infects the home device and uses the cookie as if it’s authorized, this protection won’t apply. This update ensures that “if another app on the system tries to decrypt the same data, it will fail.”

Given Chrome’s dominance on Windows, this update is akin to a core OS change rather than just a browser update. It’s a commendable move by Chrome’s security team, especially their nod to Mac’s security practices—timely, considering the recent CrowdStrike comparison between Windows and Mac. However, the more prominent cookie news of the week remains the issue of tracking cookies, risking this update getting lost in the noise.