Google is introducing a new feature in Chrome called Device Bound Session Credentials (DBSC) to enhance user protection against session cookie theft by malware. This feature, currently being tested with some Google Account users running Chrome Beta, aims to become an open web standard according to the Chromium team.
The objective of DBSC is to disrupt the cookie theft industry by binding authentication sessions to the device, making exfiltration of cookies less valuable for attackers. This new approach is expected to reduce the success rate of cookie theft malware and enhance the effectiveness of on-device detection and cleanup efforts.
This initiative comes in response to reports of information stealing malware being used to steal cookies in a way that circumvents multi-factor authentication systems, allowing threat actors to gain unauthorized access to online accounts.
DBSC utilizes a cryptographic method to tie sessions to the device, making it more challenging for adversaries to abuse stolen cookies and hijack accounts. The feature is being offered via an API, enabling servers to associate sessions with public keys generated by the browser.
Google’s Kristian Monsen and Arnar Birgisson explained that DBSC introduces a protocol for proving possession of keys throughout the session to ensure continuity and security.
One important requirement for DBSC is that user devices must have a secure way of signing challenges and protecting private keys from malware. Support for DBSC will be initially rolled out to half of Chrome’s desktop users, with plans to expand to more users and websites in the future.
Google is collaborating with server providers, identity providers, and browser vendors to implement DBSC more widely. The company’s broader plans to sunset third-party cookies by the end of the year align with the goals of DBSC to enhance user privacy and security.
