Google Chrome adds infostealer protection against session cookie theft
BleepingComputer • • technology
Key Points:
- Google has introduced Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows to prevent info-stealing malware from harvesting session cookies by cryptographically linking sessions to a user’s hardware security chip.
- The DBSC feature uses hardware-based keys, such as TPM on Windows and Secure Enclave on macOS, ensuring that private keys cannot be exported, rendering stolen session cookies useless to attackers.
- This protection requires Chrome to prove possession of the private key to the server for issuing new short-lived session cookies, reducing the risk of session hijacking by infostealer malware like LummaC2.
- DBSC is designed to protect user privacy by using distinct keys per session, preventing websites from tracking user activity across sessions or sites on the same device, and minimizing information exchange without leaking device identifiers.
- Google developed DBSC in collaboration with Microsoft and industry partners, and after a year of testing with platforms like Okta, noted a significant reduction in session theft events; websites can implement DBSC with backend upgrades while maintaining frontend compatibility.
