BURSTA critical vulnerability that allows low-privileged attackers to decrypt Chrome’s AppBound Cookie Encryption, a security feature Google introduced in July 2024 to protect user cookies from infostealer malware.
The attack, dubbed C4 (Chrome Cookie Cipher Cracker), exploits a Padding Oracle Attack against the Windows Data Protection API (DPAPI) encryption system.
Summary
1. Researchers developed "C4" attack bypassing Chrome's AppBound Cookie Encryption security feature.
2. Exploits Microsoft DPAPI weakness using error message analysis to decrypt cookies without admin privileges.
3. Requires automated 16-hour process to systematically crack cookie encryption.
4. Google implemented partial solution in June 2025, disabled by default pending full fix.
C4 Attack Bypasses Chrome’s AppBound Encryption
The C4 attack targets Chrome’s AppBound Encryption feature, introduced by Google in July 2024 to combat infostealer malware.
This security mechanism encrypts cookies using a dual-layer DPAPI system: first with User-DPAPI, then with SYSTEM-DPAPI, theoretically restricting access to SYSTEM-level processes only.
CyberArk reports that the elevation service, a COM server running as SYSTEM that handles cookie decryption requests, inadvertently creates a padding oracle vulnerability.
The attack exploits AES-CBC encryption mode combined with PKCS7 padding used by DPAPI.
When the elevation service attempts to decrypt tampered ciphertext, it generates different error messages in the Windows Event Viewer depending on padding validity—”unknown” for invalid padding versus “MAC check failed” for valid padding but incorrect signatures.
This differential response creates a padding oracle that attackers can exploit through repeated queries.
By systematically modifying ciphertext blocks and analyzing error responses, the C4 attack can decrypt the outer SYSTEM-DPAPI layer, revealing the inner User-DPAPI blob that low-privileged processes can then decrypt using standard CryptUnprotectData calls.
The padding oracle attack requires approximately 16 hours to complete, making numerous IPC requests to the elevation service while monitoring Windows Event Logs for padding validation responses.
Each guess involves file read/write operations and multiple inter-process communication exchanges, contributing to the extended timeframe.
The attack leverages CBC mode’s bit-flipping vulnerability, where modifying ciphertext block Cn predictably alters plaintext block Pn+1 through XOR operations.
While researchers initially attempted direct bit-flipping attacks to spoof Chrome’s executable path in validation data, DPAPI’s signature verification prevented this approach.
Additionally, researchers discovered a simpler COM hijacking technique that forces Chrome to revert to legacy encryption methods by redirecting the elevation service to non-existent binaries.
This approach requires less technical sophistication but results in a loss of previously encrypted cookies.
Partial Fix Implemented
Following responsible disclosure in December 2024, Google acknowledged the vulnerability and moved it to “accepted” status by February 2025.
As of June 23, 2025, Google has implemented a partial solution in Chrome, though it remains disabled by default. A comprehensive fix is planned for future releases.
Microsoft declined to address the underlying DPAPI vulnerability, stating that the issue doesn’t meet the security fix criteria due to “low practical exploitability.”
The attack demonstrates how combining legacy security mechanisms in novel ways can create unexpected vulnerabilities, highlighting the need for careful cryptographic implementation reviews.
The research underscores broader concerns about CBC encryption mode security, with experts suggesting it may be time to deprecate CBC entirely following repeated padding oracle demonstrations across various protocols.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post New C4 Bomb Attack Bypasses Chrome’s AppBound Cookie Encryption appeared first on Cyber Security News.