← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.619
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
VoidStealer, an infostealer trojan, has implemented a working bypass of Google Chrome's App-Bound Encryption (ABE), a credential-protection control introduced in Chrome 127 (mid-2024). The bypass allows attackers to extract saved passwords and session cookies from Chrome without triggering ABE's process-binding defenses, effectively neutralizing a control many organizations rely on to protect browser-stored credentials. Any workforce using Chrome with saved credentials or active sessions is at elevated risk of credential theft and session hijacking, regardless of whether ABE was considered part of their browser security posture.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you use Google Chrome and have saved passwords inside the browser, those passwords may be at risk.
🔓
What got out
Suspected: passwords saved inside Chrome browser
Suspected: login sessions that keep you signed in to websites
Confirmed: no specific company data breach, this is a browser theft tool
✅
Do this now
1 Open Chrome, go to Settings, and delete all saved passwords from the browser. 2 Start using a separate password app to store your passwords instead of Chrome. 3 Change passwords for your most important accounts like email and banking.
👀
Watch for these
Emails or texts saying someone logged into your account from a new device.
Accounts you did not log out of suddenly showing you as signed out.
Unexpected password reset emails you did not request.
🌱
Should you worry?
This threat requires a criminal to already have software running on your device. If your device is up to date and you avoid downloading unknown files, your risk is lower.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
VoidStealer (malware family; threat actor attribution not confirmed in available sources)
TTP Sophistication
HIGH
6 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Google Chrome (App-Bound Encryption implementation; specific version range not confirmed in available sources)
Are You Exposed?
⚠
Your industry is targeted by VoidStealer (malware family; threat actor attribution not confirmed in available sources) → Heightened risk
⚠
You use products/services from Google Chrome (App-Bound Encryption implementation; specific version range not confirmed in available sources) → Assess exposure
⚠
6 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
If attackers successfully steal Chrome-stored credentials and session cookies, they gain direct access to corporate applications, cloud services, and email accounts without needing passwords, including accounts protected by single sign-on. A single compromised endpoint where an employee has saved credentials to business-critical systems can enable account takeover, data exfiltration, or lateral movement across the organization. Organizations in regulated industries face additional exposure if stolen credentials provide access to systems storing personal, financial, or health data, triggering breach notification and audit obligations.
You Are Affected If
You have endpoints running Google Chrome with the built-in password manager enabled and credentials saved to the browser
Employees use Chrome to access corporate applications, cloud services, or email without an enterprise password manager enforcing credential storage outside the browser
You have treated Chrome's App-Bound Encryption (introduced in Chrome 127) as a sufficient credential protection control without additional layered defenses
Endpoint protection does not monitor for process injection targeting browser processes or unauthorized access to Chrome's User Data directory
Users can download and execute unsigned or unverified software on endpoints where Chrome is used for business access
Board Talking Points
Attackers have found a way to bypass a key Chrome browser protection and steal saved passwords and login sessions from employee devices.
IT security should disable Chrome's built-in password storage and migrate to an enterprise password manager within the next two weeks.
Organizations that take no action leave employee credentials exposed to theft, which can result in unauthorized access to business systems and potential data breach obligations.
Technical Analysis
VoidStealer is an infostealer trojan that bypasses Chrome's App-Bound Encryption (ABE), a defense introduced in Chrome 127 designed to bind DPAPI-based credential and cookie decryption to the browser process.
ABE was Google's mitigation against the wave of infostealer campaigns targeting Chrome's DPAPI credential store.
VoidStealer's technique circumvents process-binding controls to exfiltrate saved credentials and session cookies without triggering ABE protections.
No CVE has been assigned; this is a technique-based bypass, not a discrete software vulnerability. Relevant CWEs: CWE-693 (Protection Mechanism Failure), CWE-312 (Cleartext Storage of Sensitive Information), CWE-522 (Insufficiently Protected Credentials), CWE-284 (Improper Access Control). MITRE ATT&CK techniques include T1555.003 (Credentials from Web Browsers), T1539 (Steal Web Session Cookie), T1134 (Access Token Manipulation), T1574 (Hijack Execution Flow), T1027 (Obfuscated Files or Information), and T1056 (Input Capture). No vendor-confirmed patch or ABE update has been announced in available sources as of this report. Threat actor attribution beyond the malware family name is unconfirmed. Note: The Forbes, CIS Advisory, SecPod, and YouTube sources listed in this item's bibliography reference separate Chrome zero-day vulnerabilities from April 2026 and should not be conflated with this VoidStealer ABE bypass report.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate to CISO and legal/privacy counsel immediately if Sysmon or EDR telemetry confirms a non-Chrome process accessed Login Data or Cookies files on any host storing credentials for systems that process PII, PHI, or financial data, as this constitutes a likely credential exfiltration event triggering breach notification assessment under GDPR Article 33, HIPAA 45 CFR §164.412, or applicable state data breach statutes.
1
Step 1: Containment — Audit Chrome deployments across the environment and identify systems where Chrome credential storage (saved passwords, session cookies) is enabled. Disable Chrome's built-in password manager via enterprise policy (PasswordManagerEnabled = false) to remove stored credentials as an exfiltration target while assessment is underway. Restrict process-level access to Chrome's User Data directory using filesystem ACLs. (Cite: NIST AC-3 — Access Enforcement / NIST AC-6 — Least Privilege / CIS 3.3 — Configure Data Access Control Lists / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST CM-6 (Configuration Settings)
NIST SI-4 (System Monitoring)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
Compensating Control
Without MDM/enterprise policy infrastructure, deploy a registry-enforced GPO manually or via PowerShell: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome' -Name 'PasswordManagerEnabled' -Value 0 -Type DWord. Run this across endpoints via PsExec or a simple PowerShell remoting loop (Invoke-Command -ComputerName $hosts -ScriptBlock {...}). Verify enforcement by checking HKLM:\SOFTWARE\Policies\Google\Chrome on each host. Free tool: osquery — query SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome%' to confirm policy presence at scale.
Preserve Evidence
Before disabling the password manager, image or export Chrome's Login Data SQLite file (AppData\Local\Google\Chrome\User Data\Default\Login Data) and Cookies file (AppData\Local\Google\Chrome\User Data\Default\Network\Cookies) from suspect hosts to preserve forensic state. Document last-modified timestamps on both files — VoidStealer's ABE bypass requires reading these files outside of Chrome's process binding, so unexpected recent access timestamps or shadow copies of these files by non-Chrome processes are key indicators. Also capture VSS snapshots of the User Data directory before any policy changes overwrite credential state.
2
Step 2: Detection — Hunt for VoidStealer indicators in endpoint telemetry. Monitor for process injection patterns (T1134, T1574) targeting chrome.exe, including unusual child processes spawned by or injecting into Chrome. Review EDR and audit logs for file access events against Chrome's User Data directory (AppData\Local\Google\Chrome\User Data\), focusing on Login Data, Cookies, and Local State files accessed by non-browser processes. Flag outbound connections following Chrome process activity to unknown or low-reputation destinations. Enable and collect audit logs per enterprise logging policy. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, And Reporting / NIST AU-12 — Audit Record Generation / CIS 8.2 — Collect Audit Logs / D3-SFA — System File Analysis / D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Deploy Sysmon with a config that captures Event ID 10 (ProcessAccess) targeting chrome.exe and Event ID 11 (FileCreate) under AppData\Local\Google\Chrome\User Data\. Use this Sysmon filter in your config XML: <ProcessAccess onmatch='include'><TargetImage condition='contains'>chrome.exe</TargetImage></ProcessAccess>. Forward Sysmon logs to a local aggregator (e.g., Winlogbeat to an ELK stack or even Windows Event Forwarding to a collector). Use the public Sigma rule sigma/rules/windows/process_access/proc_access_win_browser_credential_access.yml as a detection baseline — adapt it to also match Login Data and Cookies file paths. For network hunting without a SIEM, run Wireshark or tcpdump on a span port filtering for large POST requests or TLS connections to non-browser processes immediately after Chrome activity: tcpdump -i eth0 -w voidstealer_hunt.pcap 'port 443 and not src port 443'.
Preserve Evidence
Collect Sysmon Event ID 10 logs showing GrantedAccess flags (0x10 = VM_READ) on chrome.exe from any process other than chrome.exe itself, Google Update, or known AV. Pull Windows Security Event Log Event ID 4688 (Process Creation with command line logging enabled) filtering on processes that access %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data or \Cookies. Capture network flow data (NetFlow or full PCAP) for outbound connections from non-browser processes in the 60-minute window following any detected Login Data file access — VoidStealer exfiltrates extracted credentials over C2 channels immediately after extraction. Also collect MFT ($MFT) records for the Chrome User Data directory to detect file reads not visible in standard audit logs.
3
Step 3: Eradication — Remove reliance on Chrome's built-in credential storage as a credential protection control. Migrate saved credentials to an enterprise password manager that does not depend on browser-native storage. Apply Chrome enterprise policies to enforce managed credential storage and disable native password saving. Track Chrome as a managed software asset and ensure only currently supported versions are authorized in the environment. Monitor Google's security blog and Chrome release notes for ABE hardening updates and apply promptly upon release. (Cite: NIST AC-6 — Least Privilege / CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.2 — Ensure Authorized Software is Currently Supported / CIS 4.6 — Securely Manage Enterprise Assets and Software / D3-CH — Credential Hardening / D3-CRO — Credential Rotation)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST CM-6 (Configuration Settings)
NIST IA-5 (Authenticator Management)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 5.2 (Use Unique Passwords)
Compensating Control
For teams without an enterprise password manager budget, use Bitwarden (free tier, self-hostable) as an immediate interim replacement — it operates entirely outside Chrome's native storage and is not subject to ABE bypass. To force-clear Chrome's stored credentials at scale without enterprise tooling, run: Remove-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Force via PowerShell remoting, then enforce PasswordManagerEnabled=false via registry. Create a YARA rule to scan for VoidStealer dropper artifacts in common staging paths (%TEMP%, %APPDATA%, Startup folders) using YARA patterns matching strings associated with Chrome credential extraction (e.g., references to 'Login Data', 'os_crypt', 'v10' DPAPI blob headers in untrusted binaries).
Preserve Evidence
Before deleting Chrome credential stores, preserve forensic copies of Login Data (SQLite — contains encrypted passwords and the encryption key metadata), Cookies (SQLite — contains session tokens encrypted with ABE or DPAPI), and the Local State file (AppData\Local\Google\Chrome\User Data\Local State — contains the AES key used for v10/v11 DPAPI-wrapped credential encryption, which VoidStealer's ABE bypass specifically targets). The Local State file's 'encrypted_key' field is the exact artifact VoidStealer reads to reconstruct the decryption key outside of Chrome's process binding — preserve this file with hash verification before any remediation touches the User Data directory.
4
Step 4: Recovery — After policy changes are deployed, verify via enterprise policy reporting that PasswordManagerEnabled is disabled across all managed endpoints (CIS 1.1). Rotate credentials and invalidate session cookies for all accounts where Chrome-stored credentials may have been present on potentially compromised hosts. Re-image hosts where VoidStealer infection is confirmed rather than attempting in-place remediation. Enforce MFA on all externally exposed applications and remote access paths so that stolen credentials alone are insufficient for access. (Cite: NIST AC-2 — Account Management / NIST AC-12 — Session Termination / CIS 1.1 — Establish and Maintain Detailed Enterprise Asset Inventory / CIS 6.3 — Require MFA for Externally-Exposed Applications / CIS 6.4 — Require MFA for Remote Network Access / D3-CRO — Credential Rotation / D3-MFA — Multi-factor Authentication)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IA-5 (Authenticator Management)
NIST CM-6 (Configuration Settings)
NIST SI-2 (Flaw Remediation)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Verify policy enforcement without MDM by running the following osquery query across all endpoints: SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\PasswordManagerEnabled' AND data = '0'. For credential rotation prioritization, use PowerShell to query Chrome's Login Data SQLite file (before deletion) to enumerate which accounts had stored credentials: invoke sqlite3.exe against the Login Data file with SELECT origin_url, username_value FROM logins — this gives you the exact account list requiring forced password resets. Prioritize SaaS and identity provider accounts (SSO, Okta, Azure AD) first as those session cookies enable lateral movement far beyond the initial compromised host.
Preserve Evidence
Before re-imaging, collect a full memory dump (using WinPmem or Magnet RAM Capture — both free) from any host suspected of active VoidStealer infection to preserve in-memory credential material and any injected code that may not be present on disk. Capture the Windows Prefetch files (%SystemRoot%\Prefetch) for evidence of VoidStealer executable runs — prefetch entries persist across reboots and will show execution timestamps even after the malware binary is deleted. Also collect the SYSTEM, SAM, and SECURITY registry hives from suspect hosts to support post-recovery forensic analysis of any local credential access.
5
Step 5: Post-Incident — This bypass exposes a systemic control gap: browser-native credential storage cannot be treated as a secure credential vault. Review and update your credential storage policy under AC-1 to explicitly prohibit browser-native password saving. Establish or update a documented vulnerability management process to track browser security control changes such as ABE. Evaluate whether your EDR solution detects process injection targeting browser credential stores against T1555.003 and T1539. Update browser security configuration baselines to remove dependency on ABE as a standalone credential protection control, and document the remediation process. (Cite: NIST AC-1 — Policy And Procedures / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 7.1 — Establish and Maintain a Vulnerability Management Process / CIS 7.2 — Establish and Maintain a Remediation Process / D3-CH — Credential Hardening / D3-SFA — System File Analysis)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST RA-3 (Risk Assessment)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Conduct EDR detection gap testing against T1555.003 (Credentials from Web Browsers) and T1539 (Steal Web Session Cookie) using Atomic Red Team's free test library — run atomics for T1555.003 and T1539 on a test endpoint and verify your EDR/Sysmon alerting fires. If no EDR is available, create a Sigma rule targeting Sysmon Event ID 10 (process access to chrome.exe with VM_READ from non-browser processes) and test it against your Windows Event Forwarding setup. Subscribe to Google's Chrome Releases blog (https://chromereleases.googleblog.com/) and the Chrome Enterprise release notes for ABE hardening updates — set a calendar-based review trigger so any Chrome release above the current version is evaluated within 72 hours of release for ABE-relevant changes. Add MITRE ATT&CK T1555.003 and T1539 to your threat model as persistent detection requirements, not one-time responses.
Preserve Evidence
Document the full timeline of Chrome Login Data and Cookies file access events across the incident window as the primary forensic record of what credentials were exposed. Preserve this as the evidentiary basis for any breach notification assessment — the Login Data SQLite file's logins table enumerates every credential that was at risk by URL and username, and the Cookies table identifies every active session token that may have been harvested. Retain all collected Sysmon logs, memory images, and prefetch artifacts per your evidence retention policy (NIST AU-11 — Audit Record Retention) to support any regulatory or legal review.
Recovery Guidance
After credential rotation and policy enforcement, monitor IdP/SSO authentication logs (Okta, Azure AD, Google Workspace) for anomalous login events — specifically successful authentications from new geolocations, new device fingerprints, or outside business hours — for a minimum of 30 days, as VoidStealer-harvested session cookies may be replayed against SaaS targets well after the initial exfiltration window. Verify Chrome enterprise policy enforcement weekly for the first month via osquery or MDM compliance reporting to detect any policy rollback or new Chrome installations that bypass the PasswordManagerEnabled=false control. Re-baseline your browser security configuration to explicitly treat Chrome App-Bound Encryption as a defense-in-depth layer only, not a standalone credential protection control, and document this risk acceptance formally in your risk register.
Key Forensic Artifacts
Chrome Login Data SQLite file (AppData\Local\Google\Chrome\User Data\Default\Login Data) — contains the encrypted password store that VoidStealer's ABE bypass directly targets; last-accessed timestamp and any shadow copies indicate whether the file was read by a non-Chrome process outside of normal browser operation
Chrome Local State file (AppData\Local\Google\Chrome\User Data\Local State) — contains the 'encrypted_key' field holding the AES key wrapped in DPAPI that Chrome uses for v10/v11 credential encryption; VoidStealer's ABE bypass reads this file to reconstruct the decryption key outside of Chrome's process binding, making unexpected access to this file the most direct indicator of the bypass technique
Chrome Cookies file (AppData\Local\Google\Chrome\User Data\Default\Network\Cookies) — contains active session tokens encrypted under ABE; unauthorized reads of this file by non-Chrome processes indicate session cookie harvesting consistent with T1539 (Steal Web Session Cookie)
Sysmon Event ID 10 (ProcessAccess) logs filtered for GrantedAccess 0x10 (VM_READ) or 0x1010 targeting chrome.exe as TargetImage from any SourceImage other than chrome.exe, Google Update (GoogleUpdate.exe), or whitelisted AV — this is the primary telemetry artifact for detecting VoidStealer's process injection approach to bypassing ABE's process-binding defense
Windows Prefetch files (%SystemRoot%\Prefetch\*.pf) for unknown executables with creation or last-run timestamps correlating to Chrome User Data directory access events — VoidStealer components executing from %TEMP% or %APPDATA% staging paths will generate prefetch entries that persist after binary deletion, providing execution evidence even on fully wiped endpoints
Detection Guidance
No confirmed public IOCs for VoidStealer are available in current sources. Ground detection on behavioral indicators anchored to verified controls. Under NIST AU-2 (Event Logging), define the following event types as required audit events: process access events targeting chrome.exe by non-browser processes, file access events on Chrome credential store paths (Login Data, Cookies, Local State), and outbound network connections initiated by or immediately following Chrome process activity. Under NIST AU-12 (Audit Record Generation), ensure audit record generation is active on all endpoints running Chrome. Under NIST AU-3 (Content Of Audit Records), confirm that audit records capture process name, parent process, user context, timestamp, and target file or network destination to support correlation. Under NIST AU-6 (Audit Record Review, Analysis, And Reporting), perform regular review of endpoint audit records for the indicators described below. Under CIS 8.2 (Collect Audit Logs), verify that logging is enabled and being collected from all enterprise endpoints running Chrome — gaps in coverage create blind spots for this campaign. Behavioral indicators to monitor:
D3-SFA (System File Analysis) — flag any process other than chrome.exe, the Chrome Elevation Service, or explicitly whitelisted enterprise tools accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, Cookies, or Local State. On Windows, Sysmon Event ID 10 (ProcessAccess) targeting chrome.exe and Event ID 11 (FileCreate) or Event ID 15 (FileCreateStreamHash) in Chrome profile directories are primary sources. D3-LAM (Local Account Monitoring) — monitor for local account activity associated with processes accessing Chrome credential stores, particularly processes running under non-standard or elevated user contexts. Process injection detection — correlate Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) with OpenProcess, VirtualAllocEx, and WriteProcessMemory API call sequences targeting chrome.exe. Flag unsigned or low-prevalence executables involved in these events. Outbound network — correlate SIEM alerts on outbound connections to unknown or low-reputation destinations with preceding Chrome profile directory access events within the same process session. Under NIST AU-9 (Protection Of Audit Information), protect collected audit logs from tampering to preserve forensic integrity. SIEM correlation rule: file access on Chrome credential store paths AND process creation of unsigned executable within the same host session within a defined time window should generate a high-priority alert. No KB control in the current reference set maps directly to API-level hooking or DPAPI abuse monitoring — escalate detection engineering gaps for those sub-techniques to your EDR vendor.
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (1)
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1134
T1574
T1027
T1056
T1555.003
T1539
SI-3
SI-4
IA-5
AC-3
SC-13
IR-5
A04:2021
A07:2021
A01:2021
164.308(a)(5)(ii)(D)
164.312(a)(1)
164.312(d)
164.312(e)(1)
MITRE ATT&CK Mapping
T1134
Access Token Manipulation
defense-evasion
T1574
Hijack Execution Flow
persistence
T1027
Obfuscated Files or Information
defense-evasion
T1056
Input Capture
collection
T1555.003
Credentials from Web Browsers
credential-access
T1539
Steal Web Session Cookie
credential-access
Guidance Disclaimer
