Google on Tuesday said it is testing a new feature in Chrome called Device Session Credentials (DBSC) to protect users from session cookie theft by malware.
The prototype, currently being tested on “some” Google account users using Chrome Beta, was created with the goal of making it an open web standard, the tech giant’s Chromium team said.
“By tying authentication sessions to the device, DBSC aims to disrupt the cookie theft industry as exfiltration of these cookies will no longer have any value,” the company noted.
“We believe this will substantially reduce the success rate of cookie-stealing malware. Attackers would be forced to act locally on the device, which would make device detection and cleaning more effective, both for antivirus software and for device-managed devices. ‘agency.” .”
The development comes amid reports that standard information-stealing malware is finding ways to steal cookies to allow threat actors to bypass multi-factor authentication (MFA) protection and gain unauthorized access to online accounts .
Such session hijacking techniques are not new. In October 2021, Google’s Threat Analysis Group (TAG) detailed a phishing campaign that targeted YouTube content creators with cookie-stealing malware to hijack their accounts and monetize access to perpetrate email scams. cryptocurrency.
In early January, CloudSEK revealed that information thieves such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake have updated their capabilities to hijack user sessions and allow continued access to Google services even after password resets .
Google told The Hacker News at the time that “attacks involving malware that steals cookies and tokens are not new; we regularly update our defenses against such techniques and to protect users who fall victim to the malware.”
It also advised users to enable Enhanced Safe Browsing in the Chrome web browser to protect themselves from phishing and malware downloads.
DBSC aims to reduce such malicious efforts by introducing a cryptographic approach that ties device sessions together in a way that makes it harder for adversaries to abuse stolen cookies and hijack accounts.
Offered via an API, the new feature achieves this by allowing a server to associate a session with a public key created by the browser as part of a public/private key pair when a new session is initiated.
It is worth noting that the key pair is stored locally on the device using Trusted Platform Modules (TPM). Additionally, the DBSCI API allows the server to verify proof of possession of the private key throughout the session to ensure that the session is active on the same device.
“DBSC offers an API for websites to control the lifetime of such keys, behind the abstraction of a session, and a protocol to periodically and automatically prove ownership of such keys on website servers,” said Kristian Monsen and Arnar Birgisson of Google.
“There is a separate key for each session and it should not be possible to detect that two different session keys are coming from one device. By associating the private key with the device and with appropriate intervals of proof, the browser can limit the malware’s ability to download abuse from the user’s device, significantly increasing the chance that the browser or server can detect and mitigate cookie theft.”
A crucial caveat is that DBSC targets user devices with a secure way to sign challenges while protecting private keys from exfiltration by malware by requiring the web browser to have access to the TPM.
Google said support for DBSC will initially roll out to about half of Chrome desktop users based on the hardware capabilities of their machines. The latest project is also expected to be in sync with the company’s broader plans to eliminate third-party cookies in the browser later this year via the Privacy Sandbox initiative.
“This is to ensure that DBSC does not become a new tracking vector once third-party cookies are deleted, while ensuring that those cookies can be fully protected in the meantime,” it said. “If the user disables cookies entirely, third-party cookies, or cookies for a specific site, this will disable DBSC in those scenarios as well.”
The company also highlighted that it is working with several server providers, identity providers (IdPs), and browser vendors such as Microsoft Edge and Okta, which have expressed interest in DBSC. Origin trials for DBSC for all supported websites will begin later this year.