@inproceedings{5cafd38ecee64b83b31cc32bddbb6515,
title = "Exploiting DPAPI and Local State Decryption for Web Cookie Session Theft in Cross-Device Chrome Migrations",
abstract = "Multifactor Authentication (MFA) has grown in popularity for application and operating system security. In response, cyber criminals have turned to web browser session theft to defeat MFA. With a valid session ID, cyber criminals can bypass username/password and MFA requirements and gain access to sensitive systems such as email. Once accessed, attackers can extract sensitive information from the victim's account and use it for targeted phishing or mass spam campaigns. Prior research has focused on Man-in-the-Middle (MitM) attacks or Cross-Site-Scripting (XSS) attacks from vulnerable servers. A more realistic explanation for the increase in session theft is malware and users who are tricked into installing it. Google Chrome uses Windows Data Protection API (DPAPI) to encrypt and store passwords, session cookies and authentication tokens. To simulate malware, this study utilized a PowerShell script to decrypt the Local State file to defeat DPAPI. The decryption key was then utilized to decrypt the cookies in the SQLite database and provide valid session IDs.",
keywords = "Cookie Theft, Session Fixation Attacks, Session Hijacking, Session ID Theft, Session Theft, Token Replay Attacks",
author = "Kyle Herman and Lei Chen",
note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 2025 IEEE SoutheastCon, SoutheastCon 2025 ; Conference date: 22-03-2025 Through 30-03-2025",
year = "2025",
month = mar,
day = "22",
doi = "10.1109/southeastcon56624.2025.10971691",
language = "English",
isbn = "9798331504847",
series = "SoutheastCon 2025",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "862--867",
booktitle = "Conference Proceedings - IEEE SOUTHEASTCON",
address = "United States",
}