The Cookie Jar Is Wide Open Again
Google’s cookie encryption was a decent idea, a way to ensure that if a bad actor managed to get their fingers in your cookie jar, they wouldn’t be able to savour a cookie that was securely encrypted. You are probably asking the obvious question; unfortunately data harvesting is far too lucrative to be able to ban cookies altogether. The security of our personal browsing habits apparently pales when compared to the income of marketing companies and their customers. Instead we have to depend on our cookies being protected from being accessed by those who shouldn’t be able to grab them.
Sadly, malware writers have already figured out how to get back in the cookie jar without needing to hit Google to get the key, and now a security researcher has revealed the process by which they do that. It’s rather simple, grab the App-Bound encryption bypass tool from GitHub and drop it into the Google Chrome directory on a target computer which you have admin access to. Run it and it can then decrypt any of the Chrome cookies on that computer.
So much for that brief moment of protection via cookie encryption.
