Security News > 2024 > April > How Google plans to make stolen session cookies worthless for attackers

Google is working on a new security feature for Chrome called Device Bound Session Credentials, meant to prevent attackers from using stolen session cookies to gain access user accounts.

Session cookies are stored by browsers when a user logs into web resources.

For a while now, attackers have been stealing session cookies - usually with malware - so they can bypass multi-factor authentication.

DBSC intends to bind authentication sessions to the device, so that stolen cookies become worthless for the attackers unless they are able to act locally on the device.

Servers can check whether the user/device accessing the resource has the private key, and will do so throughout the session lifetime to make sure the session is still on the same device.

"DBSC will be fully aligned with the phase-out of third-party cookies in Chrome. In third-party contexts, DBSC will have the same availability and/or segmentation that third-party cookies will, as set by user preferences and other factors. This is to make sure that DBSC does not become a new tracking vector once third-party cookies are phased out, while also ensuring that such cookies can be fully protected in the meantime," he noted.

News URL

https://www.helpnetsecurity.com/2024/04/03/using-stolen-session-cookies/