According to Arun on StackOverflow “Starting Chrome 80 version, cookies are encrypted using the AES256-GCM algorithm, and the AES encryption key is encrypted with the DPAPI encryption system, and the encrypted key is stored inside the ‘Local State’ file.”. (https://stackoverflow.com/questions/60230456/dpapi-fails-with-cryptographicexception-when-trying-to-decrypt-chrome-cookies/60611673#60611673).
Now at first glance this looks like an improvement rather than passing cookies to Windows Data Protection API (DPAPI) directly they’re encrypted with a better algorithm and only the key is protected through the API. Stronger encryption is used and Windows Data Protection API encrypts the key. Unfortunately the protection scope is changed from LocalUser to LocalMachine.
It appears that this means if a user were to copy the hard drive by plugging it into another computer they would no longer need your Windows account password to decrypt this key in the local state file with the Windows Data Protection API. In theory this would allow another user on the system to steal passwords and cookies weakening security protections that existed further.
I put together a code demo with Brave Browser demonstrating this risk (see: https://github.com/irlcatgirl/BraveCookieReaderDemo). It’s easy enough to swap paths of SQLite and Local State files for Chrome.
According to https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata#parameters
Typically, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can only be done on the computer where the data was encrypted. However, a user with a roaming profile can decrypt the data from another computer on the network. If the CRYPTPROTECT_LOCAL_MACHINE flag is set when the data is encrypted, any user on the computer where the encryption was done can decrypt the data. The function creates a session key to perform the encryption. The session key is derived again when the data is to be decrypted.
Due to a change in scope in Windows DPAPI did this change harm Chrome’s security or am I misinterpreting my findings?