Google Combats Cookie Theft With New Security Tech in Chrome

Google is addressing the persistent issue of cookie theft with the introduction of Device Bound Session Credentials (DBSC), a novel web capability that will reduce account hijacking and make browning on Chrome safer. DBSC has been made public for anyone interested in learning more about how it will work.

DBSC ties authentication data to a specific device, rendering stolen cookies ineffective and disrupting the cookie theft industry, says Google on its Chrome blog.

Cookies, widely utilized by websites to store session information locally on users’ devices, have long been vulnerable to exploitation by malware. Attackers can copy cookies from users’ hard drives and utilize the user’s browsing session information to access sensitive data associated with the various websites they’ve visited. DBSC aims to reduce such account hijacking caused by cookie theft, making browsing on Chrome safer.

Kristian Monsen of the Chrome Counter Abuse team elaborated on DBSC’s purpose, stating, “By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware.”

Google emphasizes that this strategy will make cookie theft unattractive and useless for malware attackers. Monsen added that “DBSC doesn’t leak any meaningful information about the device beyond the fact that the browser thinks it can offer some type of secure storage.”

While initial rollout is expected for approximately half of desktop users, Google aims to broaden DBSC adoption by collaborating with industry stakeholders, including identity providers and browser developers like Microsoft for its Edge browser.

As Google pioneers DBSC to fortify user security and privacy, all announcements regarding the project will be made publicly on GitHub as well. It aims to allow origin trials for all interested websites by the end of 2024. This way, developers get early access to DSBC, allowing them to gather feedback, test compatibility, and assess the performance of the feature before it is officially released to the general public.

DBSC also aligns with Google’s ongoing efforts to phase out third-party cookies in Chrome and is currently being tested to protect Google Account users running Chrome Beta. Google plans to extend DBSC functionality to Google Workspace and Google Cloud customers “to provide another layer of account security.”