Google said on Tuesday that it is experimenting with a new feature called “Device Binding Session Credentials” in Chrome (DBSC) helps protect users from malware stealing session cookies.
The tech giant’s Chromium team said the prototype is currently being tested on “some” Google account users running Chrome Beta, with the aim of making it an open web standard.
“By tying authentication sessions to devices, DBSC aims to disrupt the cookie theft industry, as compromised cookies will no longer have any value,” the company noted.
“We believe this will significantly reduce the success rate of cookie-stealing malware. Attackers will be forced to operate locally on the device, which makes on-device detection and cleaning more effective, whether for anti-virus software or enterprise-managed devices.”
It has been previously reported that off-the-shelf information-stealing malware is looking for ways to steal cookies, which allows threat actors to bypass multi-factor authentication (MFA) protection and gain unauthorized access to online accounts.
This session hijacking technique is not new. In October 2021, the Google Threat Analysis Group (TAG) detailed a phishing campaign that targeted YouTube content creators, using cookie-stealing malware to hijack their accounts and conduct cryptocurrency scams. right to profit.
In early January this year, CloudSEK revealed that information stealers such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro and WhiteSnake had updated their capabilities to hijack user sessions and allow continued access to Google services after password resets.
Google told The Hacker News at the time that “attacks involving malware that steal cookies and tokens are not new; we regularly upgrade our defenses against these techniques and protect users who fall victim to malware.”
It also recommends that users enable the Enhanced Safe Browsing feature in the Chrome web browser to prevent phishing and malware downloads.
DBSC aims to reduce this type of malicious behavior by introducing an encryption method that ties sessions to devices, making it more difficult for adversaries to abuse stolen cookies and hijack accounts.
This new feature, available through an API, does this by allowing the server to associate the session with a public key created by the browser as part of a public/private key pair when starting a new session.
It is worth noting that the key pair is stored locally on the device using the Trusted Platform Module (TPM). Additionally, the DBSCI API allows the server to verify proof of possession of a private key throughout the session lifetime to ensure that the session is active on the same device.
Google’s Kristian Monsen and Arnar Birgisson said: “DBSC provides an API for websites to control the life cycle of such keys behind a session abstraction, and provides a protocol to automatically prove ownership of these keys to the website server at regular intervals.”
“Each session has a separate key, and it should be impossible to detect two different session keys from the same device. By binding the private key to the device and using appropriate attestation intervals, browsers can limit The malware’s ability to redirect its abuse away from the user’s device significantly increases the chance that a browser or server will detect and mitigate cookie theft.”
An important caveat is that DBSC requires user devices to have a secure way to challenge signatures while protecting private keys from malware, so the web browser must be able to access the TPM.
Google said support for DBSC will initially roll out to about half of Chrome desktop users based on the machine’s hardware capabilities. The latest project is also expected to coincide with the company’s wider plan to eliminate third-party cookies from browsers by the end of the year through its Privacy Sandbox initiative.
“This is to ensure that DBSC does not become a new tracking vector once third-party cookies are phased out, but also to ensure that such cookies are adequately protected in the meantime,” it said. “If the user opts out of cookies entirely, third-party cookies or specific website cookies, then DBSC will also be disabled in these cases.”
The company further noted that it is working with multiple server vendors, identity providers (IdPs), and browser vendors such as Microsoft Edge and Okta, who have expressed interest in DBSC. DBSC origin trials for all supported sites will begin by the end of this year.
