Google has unveiled a new security feature for Chrome dubbed ‘Device Bound Session Credentials,’ designed to combat hackers’ exploitation of stolen cookies. These cookies, which store browsing data and preferences, are utilized by websites for automatic logins and bypassing multi-factor authentication (MFA) upon subsequent visits.
Unfortunately, cybercriminals employ malware to pilfer these cookies, enabling them to bypass MFA prompts and seize control of associated accounts. To address this issue, Google is developing Device Bound Session Credentials (DBSC), which cryptographically binds authentication cookies to a user’s device.
Upon activation, DBSC ties the authentication process to a unique public/private key pair generated through the device’s Trusted Platform Module (TPM) chip. This key pair remains securely stored on the device, rendering it impervious to exfiltration attempts by attackers. Even in the event of cookie theft, unauthorized access to accounts becomes unattainable.
Kristian Monsen, a software engineer at Google’s Chrome Counter Abuse team, asserts that DBSC aims to disrupt the cookie theft industry by rendering stolen cookies worthless.
Kristian Monsen, a software engineer at Google’s Chrome Counter Abuse team, asserts that DBSC aims to disrupt the cookie theft industry by rendering stolen cookies worthless. With authentication sessions bound to the device, attackers are constrained to local exploitation, facilitating more effective on-device detection and cleanup measures.
Though still in the prototype stage, Google has provided a tentative timeline for DBSC’s rollout. Interested users can test this feature by navigating to chrome://flags/ and activating the “enable-bound-session-credentials” flag on Windows, Linux, and macOS Chromium-based browsers.
DBSC operates by allowing a server to initiate a fresh session with your browser, linking it to a public key stored on your device through a dedicated API. Each session is fortified by a distinct key, safeguarding your privacy, with only the public key transmitted to the server for later verification. DBSC doesn’t facilitate cross-session tracking on the same device by websites, and users retain the ability to delete the generated keys at their discretion.
Anticipated to initially support approximately half of all Chrome desktop devices, this new security feature will seamlessly integrate with Chrome’s ongoing phase-out of third-party cookies. Kristian Monsen emphasizes that upon full deployment, both consumers and enterprise users will benefit from enhanced security for their Google accounts automatically.
Furthermore, Google is actively working to extend this technology to Google Workspace and Google Cloud customers, augmenting account security with an additional layer of protection.
In recent times, threat actors have exploited the undocumented Google OAuth “MultiLogin” API endpoint to generate fresh authentication cookies once stolen ones have expired. This poses a significant security risk, as demonstrated by operations such as Lumma and Rhadamanthys, which claimed the ability to revive expired Google authentication cookies pilfered in attacks.
the introduction of DBSC will effectively thwart threat actors from leveraging stolen cookies
Previously, Google advised affected users to eradicate any malware from their devices and encouraged the activation of Enhanced Safe Browsing in Chrome to mitigate phishing and malware threats. However, the introduction of DBSC will effectively thwart threat actors from leveraging stolen cookies, as they lack access to the cryptographic keys necessary for their exploitation.
