Google Aims to Make Stolen Cookies Useless for Attackers

Google is preparing a new feature, called Device Bound Session Credentials (DBSC), that should make it much more difficult for hackers to use stolen session cookies.

One piece of advice people regularly hear is to use multi-factor authentication (MFA) to secure online accounts, which is extremely important in any context. Unfortunately, one way to bypass MFA is to steal session cookies directly from victims and use them to authenticate into online services.

Despite the bad rep cookies get, they remain an integral part of the online experience. It’s how browsers remember that you’ve logged into a website, for example. But the same data is often targeted by attackers who use specialized malware to exfiltrate session cookies, which eventually can end up for sale.

Google aims to change the way its Chrome browser handles cookies in a way that makes them useless in the hands of attackers, even if they do get them somehow.

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value,” explained Google in a post. “We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”

The new feature will make use of existing Trusted Platform Modules (TPMs), which are already common in Windows 11 installations. Users with older hardware that doesn’t feature a TMP module or at least a modern version, won’t be forgotten. Google is exploring a software solution for this.

“When the browser starts a new session, it creates a new public/private key pair locally on the device, and uses the operating system to safely store the private key in a way that makes it hard to export. Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11, and we are looking at supporting software-isolated solutions as well,” Google added.

DBSC will take a while to implement and develop, and trials for interested websites should start by the end of 2024.