New Chrome Feature Blocks Hackers From Stealing Your Cookie

Google has unveiled a new web feature called “Device Bound Session Credentials (DBSC)” that will help protect users from cookie theft.

Malware that steals cookies from users and allows attackers access to their accounts affects a large number of users online. 

Usually, the malware transfers all authentication cookies from the device’s browsers to remote servers, allowing the attackers to compile, organize, and market the hacked accounts.

Such cookie theft occurs post-login, bypassing two-factor authentication and other reputation checks that occur during login.

Chrome and other browsers are unable to shield cookies from malware with the same level of access as the browser itself due to the way operating systems and cookies interact, especially on desktop operating systems.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Device Bound Session Credentials (DBSC) have been introduced to solve this issue. 

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware”, Google said.

Attackers would have to act locally on the device, increasing the efficacy of on-device detection and cleanup for enterprise-managed devices as well as anti-virus software.

The DBSC API allows a server to establish a new session on a device with a certain browser.

Upon launching a new session, the browser generates a new set of public and private keys locally on the device, utilizing the operating system to securely store the private key in a manner that hinders export. 

For key protection, Chrome will make use of tools like Trusted Platform Modules (TPMs), which are intended to verify the integrity of operating systems and store cryptographic keys.

High-Level Overview of the Feature

Since every session has its key, DBSC prevents sites from associating keys from various sessions on the same device to guarantee that no further persistent user monitoring has been implemented. 

Using the Chrome settings, the user can permanently remove the generated keys. 

“DBSC doesn’t leak any meaningful information about the device beyond the fact that the browser thinks it can offer some type of secure storage. The only information sent to the server is the per-session public key which the server uses to certify proof of key possession later”, Google said.

DBSC will be completely compliant with Chrome’s phase-out of third-party cookies.

Depending on user settings and other criteria, DBSC will be available and/or segmented in third-party contexts in the same way that third-party cookies do. 

This is to ensure that, in the meantime, third-party cookies may be adequately secured and that, if they are phased out, DBSC does not become a new tracking vector.

Google is presently testing a DBSC prototype to safeguard some Google Account users who are using the Chrome Beta.

Consumers and business users will immediately receive enhanced protection for their Google accounts once it is completely implemented.

To add an extra degree of account protection, the business is also planning to activate this technology for all Google Workspace and Google Cloud customers.

Several server providers, identity providers (IdPs) like Okta, and browsers like Microsoft Edge have shown interest in DBSC to protect its users from cookie theft.

According to Google, users of Chromium-based web browsers running on Windows, Linux, and macOS can test DBSC by going to chrome://flags/ and activating the “enable-bound-session-credentials” dedicated flag.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.