Exploitation for Priv-Esc × Google Chrome

A publicly-reported instance of Exploitation for Priv-Esc bypassing Google Chrome, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Google Chrome

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

in the wild

Disclosed

2025-02-02

Config / version noted

Not stated

Provenance

spycloud.com
disclosed 2025-02-02 · original source · via exa

Reported as

Multiple infostealer families have bypassed Chrome's App-Bound Encryption

Mechanism

Malware spawns Chrome with the --remote-debugging-port flag (default 9222) and uses the debugging API to dump all cookies, bypassing App-Bound Encryption on Windows, Keychain on macOS, and secret storage on Linux.

Detection & mitigation

Monitor for Chrome processes spawned with the --remote-debugging-port flag, especially from non-interactive or suspicious parent processes. Use endpoint detection to alert on command-line arguments containing '--remote-debugging-port' and network connections to localhost on port 9222 from unexpected processes. Mitigate by restricting Chrome's remote debugging via Group Policy or disabling it unless explicitly needed.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.