Google has made a significant advancement in enhancing the security of its Chrome browser with the announcement of a new feature, ‘Device Bound Session Credentials’ (DBSC), designed to combat the theft and misuse of cookies by threat actors. Cookies, which store browsing information and authentication data, are often targeted by malware to bypass multi-factor authentication and hijack user accounts. To address this vulnerability, DBSC cryptographically binds authentication cookies to a specific device, making it nearly impossible for attackers to steal and exploit them. Through the use of a device’s Trusted Platform Module (TPM) chip, a unique public/private key pair is generated and securely stored on the device, rendering stolen cookies ineffective in accessing user accounts.
The introduction of DBSC marks a significant advancement in mitigating the risk posed by cookie theft malware, as it disrupts the illicit use of stolen cookies and significantly reduces the success rate of such attacks. By linking authentication sessions to users’ devices, the new security feature aims to render stolen cookies worthless, providing a robust defense against unauthorized access to user accounts. Furthermore, the implementation of DBSC is expected to enable local detection and cleanup, making on-device security measures more effective and enhancing the overall security posture of Chrome users.
Although the DBSC feature is currently in the prototype phase, Google has provided an estimated timeline for its development and deployment. Users can test DBSC by enabling the “enable-bound-session-credentials” flag in their Chrome browsers on Windows, Linux, and macOS platforms. The feature ensures privacy protection by backing each session with a unique key and prevents sites from tracking users across different sessions on the same device. Additionally, users have the flexibility to delete the keys generated by DBSC at any time, providing control over their security settings. This new capability is expected to provide upgraded security for both consumer and enterprise users automatically, aligning with Google’s commitment to bolstering account security for its users and clients.
