VoidStealer Trojan Bypasses Google Chrome’s App‑Bound Encryption, Exposing Web Session Data
What Happened — Researchers identified that the VoidStealer malware can extract Chrome’s App‑Bound Encryption (ABE) master key from memory, allowing it to read passwords, cookies, and form data that were previously protected. The technique expands the capabilities of infostealers on Windows endpoints.
Why It Matters for TPRM —
- Chrome is the default browser for most enterprise workstations; a bypass nullifies its built‑in data‑in‑transit protection.
- SaaS applications accessed via Chrome become vulnerable to credential theft, increasing third‑party risk.
- Existing vendor security questionnaires may no longer capture this emerging endpoint threat.
Who Is Affected — Enterprises across all sectors that deploy Google Chrome on Windows workstations; SaaS vendors whose services are accessed through the browser.
Recommended Actions —
- Ensure endpoint detection and response (EDR) solutions are updated to detect VoidStealer indicators.
- Enforce multi‑factor authentication for all web services accessed via Chrome.
- Review Chrome enterprise policies; consider disabling unnecessary extensions and tightening ABE settings.
- Deploy network DLP to monitor for anomalous exfiltration of browser data.
Technical Notes — The bypass leverages a flaw in Chrome’s ABE key‑derivation routine, allowing malicious code to read the master key from process memory. No CVE has been assigned; the method is a novel abuse of existing functionality. Data at risk includes stored credentials, session cookies, and any data entered into web forms. Source: Dark Reading