New Chrome feature aims to stop hackers from using stolen cookies


Google announced a new Chrome security feature called ‘Device Bound Session Credentials’ that ties cookies to a specific device, blocking hackers from stealing and using them to hijack users’ accounts.

Cookies are files that websites use to remember your browsing information and preferences and automatically log you into a service or website. These cookies are created after you log into a service and verify multi-factor authentications, allowing them to bypass multi-factor authentication (MFA) in future logins.

Unfortunately, attackers use malware to steal these cookies, thus circumventing MFA prompts to hijack the linked accounts.

To solve this problem, Google is working on a new feature called Device Bound Session Credentials (DBSC) that makes it impossible for attackers to steal your cookies by cryptographically binding your authentication cookies to your device.

After enabling DBSC, the authentication process is linked to a specific new public/private key pair generated using your device’s Trusted Platform Module (TPM) chip that can’t be exfiltrated and is securely stored on your device, so even if an attacker steals your cookies, they won’t be able to access your accounts.

Read more…