2024-08-06 –, Florentine A
If you had a shell on someone’s MacBook, could you read their Chrome cookies? This talk will survey a broad set of techniques that will do just that. Then, I’ll share my experience using open-source tools like Santa and osquery to prevent and detect these attacks on macOS.
In this talk, I share my experience trying to prevent cookie exfiltration on employee laptops at Figma.
My goal was to make it hard for malware on a coworker's MacBook to read their Chrome cookies, even if it was running as their user.
Now, Chrome already encrypts your cookies on disk with an encryption key that lives in your login keychain. The keychain will only give that encryption key to a process that's code-signed as Chrome. That's a great start!
But it turns out, there are a bunch of ways that malware can get Chrome to decrypt your cookies and hand them over. I'll cover well-known cookie theft techniques (like using the Remote Debugger), as well as some new methods I came up with.
If you come to this talk, you'll learn:
- How malware can steal cookies on Chromium-based browsers (including Electron apps)
- How to prevent cookie theft, using Santa File Authorization and Chrome Enterprise flags
- How to detect cookie theft, using osquery
Nick is an engineer on Figma's Security Team. He's been working on security teams at SaaS companies since the first season of Succession came out. He spends his time helping engineers write more secure Electron apps, OAuth flows, and login code.