New VoidStealer Bypass Exposes Chrome App-Bound Encryption Flaw

Security researchers at Dark Reading have disclosed a novel technique that allows the VoidStealer Trojan to circumvent Google Chrome's App-Bound Encryption (ABE), a security mechanism introduced to protect sensitive data such as cookies, passwords and browsing history stored on disk. The attack exploits a flaw in the way Chrome stores the ABE master key in user-space memory, enabling a locally-running infostealer to retrieve the key without triggering Windows User Interface Privilege Isolation (UIPI) warnings.

The bypass relies on injecting a malicious DLL into the Chrome process and hooking the CryptProtectData/CryptUnprotectData API calls that handle the encryption and decryption of the ABE key. By intercepting these calls, VoidStealer can extract the raw key material from memory and subsequently decrypt any data protected by Chrome's ABE. This method works on Chrome versions 120.0.6099.130 and later, which have ABE enabled by default on Windows 10 and Windows 11 systems.

Once the key is obtained, the Trojan can exfiltrate stored credentials, session cookies and autofill data to a remote command-and-control server operated by the threat actors. The exfiltrated data can be used for account takeover, credential stuffing or sold on underground markets. The researchers note that the attack is particularly stealthy because it does not generate suspicious file writes or unusual network traffic until the data is ready to be sent.

Google has been notified and is expected to release a patch that will move the ABE key into a hardware-backed secure enclave or enforce additional integrity checks on the key access path. In the meantime, users are advised to update Chrome to the latest stable build, enable the "Protect your saved passwords" feature with a device-bound PIN, and employ endpoint detection solutions that monitor for process injection and API hooking behavior. Security teams should also consider deploying YARA rules that detect the known VoidStealer DLL payload and monitor for anomalous Chrome child processes.