Google has announced the rollout of new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies.
The feature, called Device Bound Session Credentials (DBSC), was announced in April 2024 and has become available in Chrome 146 for Windows. macOS users will receive it as well, in a future browser release.
DBSC fights session cookie theft by cryptographically binding authentication sessions to the user’s device, thus rendering stolen cookies useless.
Typically stolen using information-stealing malware and often shared or sold on cybercrime platforms, these tokens may provide attackers with access to users’ accounts without a password.
“Once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system,” Google notes.
DBSC relies on hardware-backed security modules to generate a unique public/private key pair, and Chrome issues new short-lived session cookies to prove it possesses the private key to the server.
“Because attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless to those attackers,” Google explains.
Websites can adopt the protection through dedicated registration and refresh endpoints, and the browser handles the cryptography and cookie rotation, so that all web apps can continue to use standard cookies for access.
According to Google, an early version of the protocol that was rolled out last year has demonstrated a significant reduction in session theft when DBSC was enabled.
Because each browser session is backed by a different key, websites cannot use them to track users across sessions or sites. Furthermore, the device does not share identifiers or attestation data with the server to prevent fingerprinting and cross-site tracking.
According to Google, DBSC was built as an open web standard through the W3C process, and Microsoft helped design it. Okta and other web platforms have tested DBSC, and implementation details have been included in a guide for web developers.
Google is also working to secure federated identity by expanding DBSC to support cross-origin bindings, implementing advanced registration capabilities to tie DBSC sessions to pre-existing trusted key material, and potentially adding software-based keys to make protection available on devices that lack dedicated secure hardware.
Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome
Related: Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access
Related: Sophisticated CrystalX RAT Emerges
Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs
