Google Chrome makes cookie theft pointless on Windows

Cybercriminals and their info-stealers often target so-called session cookies. This allows them to gain access to ongoing sessions in which users are logged into services. Google has enabled protection by default in Chrome for Windows starting with version 146 and will soon announce it for macOS as well.

This involves the "Device Bound Session Credentials" (DBSC) function, as Google explains in a blog post. This cookie protection has been in development since 2024 and is now making its way into practice. The brief explanation of the function is: Authenticated sessions are bound to the device with which the login occurred. Stolen cookies thus become worthless.

Google Chrome Activates Device Bound Session Credentials

A bit more detailed, it involves a mechanism that is somewhat reminiscent of passkeys. When a session starts, the web browser generates a key pair, with the private key remaining on the computer, currently protected in the computer's TPM (Trusted Platform Module). To store in the TPM, Chrome uses operating system functions. On macOS, the Secure Enclave is used for this. Servers use the public key and can request proof of possession of the private key from the client via the API for ongoing sessions.

In case of session theft, users typically unintentionally download malware, which, after activation, secretly exfiltrates session cookies from the browser or waits for new logins before transferring the tokens to the attackers' servers. According to Google, info-stealer malware like Lumma is becoming increasingly sophisticated at grabbing credentials. Since cookies typically have a longer lifespan, attackers can use them to gain unauthorized access to user accounts. Such session cookies are then bundled and traded or sold among threat actors. However, exfiltrating such cookies cannot be reliably prevented with software alone.

DBSC is intended to solve the problem. The key pair cannot be exported from the machine. In combination with short-lived cookies, this means that stolen cookies expire quickly and become useless to attackers. Google tested early versions of the mechanism last year and has since observed a significant decrease in session theft.

Web developers can now also protect their systems against session theft. Google provides instructions for developers. Additionally, the W3C provides a current specification of the protocol, and there is also a corresponding project on GitHub. Google is already announcing further developments. For example, support for Single Sign-On (SSO) systems is planned, or even stricter protection for binding DBSC to existing, trusted keys instead of creating new ones during login. Furthermore, the developers intend to explore possibilities with software-based keys to offer the security mechanism on devices without specialized security hardware as well.

(dmk)