Google has launched a new security feature for Chrome on Windows to prevent session theft by hackers. This update, called Device Bound Session Credentials (DBSC), is now available for Chrome 146 users. It aims to solve a common problem where scammers use infostealer malware to steal session cookies from a computer. Cookies are basically small files that websites use to remember you, so you don’t have to log in every time.
Google’s Chrome and Account Security teams noted in the official Google Security blog that “session theft typically occurs when a user inadvertently downloads malware onto their device.” If a hacker steals these cookies, they can hijack your accounts without needing your password.
Researchers explain that this “cookie exfiltration” is difficult to thwart because when malware like LummaC2 or Vidar compromises a device, it can easily see the files and memory where the browser stores this information.
“DBSC fundamentally changes the web’s capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users’ accounts,” explained the Google Account Security team.
How the new security works
The new system addresses this issue by linking your login session directly to your computer using a special security chip inside your machine, known as the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS. The browser creates a unique public/private key pair that stays on your computer and cannot be moved to another device.
Now, when you use a website, Chrome has to prove it has that private key before the server will give it a new cookie. These cookies are also short-lived, which is an important feature because a hacker cannot steal the key from your hardware; any cookies they do manage to grab will expire and become useless almost immediately.
Google has already seen a drop in successful attacks during ‘Origin Trials’ (early testing) in collaboration with other web platforms like Okta, the blog post reveals.
Protecting privacy and national security
Google worked with Microsoft to make sure this new tech doesn’t track users, and each website gets a different key. This means companies cannot use this feature to fingerprint devices or to track your online activity across different sites. While Windows users have the update now, Google plans to bring it to macOS soon.
This update arrives at a critical time, given that infostealers mainly rely on simple human error to succeed and not complex hacking. Last year, Hackread.com reported that over 30 million computers worldwide had been infected, with one-in-five devices holding sensitive corporate details.
The targets included high-profile organisations like the Pentagon, the FBI, and major defence contractors like Lockheed Martin and Honeywell. In those instances, hackers stole credentials and session cookies to sell access to military and government files for as low as $10. Through DBSC, Google hopes to stop hackers from bypassing two-factor authentication with stolen data and prevent similar security breaches.
Deeba Ahmed
