![\"Google](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2023\/06\/16\/Google-Chrome-headpic.jpg\")
<\/p>\n<\/p>\n
Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies.<\/p>\n
macOS users will benefit from this security feature in a future Chrome release that has yet to be announced.<\/p>\n
The new protection has been announced in 2024<\/a>, and it works by cryptographically linking a user’s session to their specific hardware, such as a computer’s security chip – the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS.<\/p>\n Since the unique public\/private keys for encrypting and decrypting sensitive data are generated by the security chip, they cannot be exported from the machine.<\/p>\n This prevents the attacker from using stolen session data because the unique private key protecting it cannot be exported from the machine.<\/p>\n “The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the corresponding private key to the server,” Google says in an announcement today.<\/p>\n Without this key, any exfiltrated session cookie expires and becomes useless to an attacker almost immediately.<\/p>\n <\/p>\n A session cookie acts as an authentication token, typically with a longer validity time, and is created server-side based on your username and password.<\/p>\n The server uses the session cookie for identification and sends it to the browser, which presents it when you access the online service.<\/p>\n Because they allow authenticating to a server without providing credentials, threat actors use specialized malware called infostealer to collect session cookies.<\/p>\n Google says that multiple infostealer malware families, like LummaC2, “have become increasingly sophisticated at harvesting these credentials,” allowing hackers to gain access to users’ accounts.<\/p>\n “Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system” – Google<\/a><\/p>\n<\/p><\/div>\n The DBSC protocol was built to be private by design, with each session being backed by a distinct key. This prevents websites from correlating user activity across multiple sessions or sites on the same device.<\/p>\n Additionally, the protocol enables minimal information exchange that requires only the per-session public key necessary to certify proof of possession, and does not leak device identifiers.<\/p>\n In a year of testing an early version of DBSC in partnership with multiple web platforms, including Okta, Google observed a notable decline in session theft events.<\/p>\n Google partnered with Microsoft for developing the DBSC protocol as an open web standard and received input “from many in the industry that are responsible for web security.”<\/p>\n Websites can upgrade to the more secure, hardware-bound sessions by adding a dedicated registration and refresh endpoints to their backends without sacrificing compatibility with the existing frontend.<\/p>\n Web developers can turn to Google’s guide for DBSC implementation details<\/a>. Specifications are available on the World Wide Web Consortium (W3C) website, while an explainer can be found on GitHub.<\/p>\n ![\"Google](\"https:\/\/www.bleepstatic.com\/c\/a\/as-tour-the-platform-970-x250.jpg\")
<\/a> <\/div>\n\n![\"Google](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1100723\/Chrome_DBSC-flow.png\")
source: Google<\/em><\/figcaption><\/figure>\n<\/div>\n\n