Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta.
Public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned for future Chrome releases.
“This project represents an important step forward in our ongoing efforts to combat session theft, which remains a pervasive threat in the modern security environment,” Google’s Chrome and Account Security teams said in a post Thursday.
Session theft involves covertly extracting session cookies from a web browser to an attacker-controlled server, either by harvesting existing session cookies or by waiting for the victim to log into an account.
This usually happens when a user accidentally downloads information-stealing malware onto their system. These stealer malware families, which include Atomic, Lumma, Vidar Stealer, and many others, are capable of collecting a wide range of information, including cookies, from compromised systems.
Because session cookies often have long expirations, an attacker could use them to gain unauthorized access to a victim’s online accounts without knowing the password. Once collected, these tokens are packaged and sold to other attackers for financial gain. Cybercriminals can then proceed with their own attacks.
DBSC, first announced by Google in April 2024, aims to counter this exploit by cryptographically tying authentication sessions to specific devices. The idea is that this will render the cookie worthless even if it is stolen by malware.
“This is done using hardware-assisted security modules, such as the Trusted Platform Module (TPM) in Windows or the Secure Enclave in macOS, to generate a unique public-private key pair that cannot be exported from the machine,” Google explained.
“Issuance of new short-lived session cookies is conditional on Chrome proving possession of the corresponding private key to the server. Attackers cannot steal this key, so compromised cookies quickly expire and become useless to attackers.”
If a user’s device does not support secure key storage, DBSC gracefully falls back to standard behavior without disrupting the authentication flow, Google says in its developer documentation.
The tech giant said it has observed a significant reduction in session theft since its introduction, an early sign of the measure’s success. The official announcement is just the beginning, as the company plans to bring DBSC to a wider range of devices and introduce advanced features to better integrate with enterprise environments.
Google, which designed the standard in collaboration with Microsoft with the goal of making it an open web standard, also emphasized that the DBSC architecture is private by design, and that the individual key approach prevents websites from using session credentials to correlate user activity across different sessions or sites on the same device.
“Additionally, the protocol is designed to be efficient and does not reveal device identifiers or authentication data to the server beyond the per-session public key needed to prove proof of ownership.” “This minimal exchange of information allows DBSC to help secure sessions without enabling cross-site tracking or acting as a device fingerprinting mechanism.”
Source link
