Google Chrome adds session cookie theft protection for all users

Google has announced that the Chrome Device Bound Session Credentials (DBSC) security feature is now available for all users, aimed at preventing account takeovers.

Initially released in beta in April 2024, DBSC was introduced as a means to cryptographically bind session cookies to a specific device, thereby thwarting hackers from utilizing stolen cookies to circumvent multi-factor authentication (MFA) and compromise user accounts.

DBSC operates by linking user sessions to hardware components, such as the security chip found in computers (e.g., the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS).

The unique public/private keys utilized for encrypting and decrypting sensitive data are generated by the security chip itself, which means they cannot be stolen. This mechanism effectively prevents attackers from leveraging compromised session cookies.

"DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users' accounts," stated Google in April.

"DBSC enhances account security following user authentication and securely binds a session cookie—small files used by websites to retain user information—to the device from which the authentication occurred. Even in scenarios where malware is present on the user's device, DBSC significantly mitigates the risk of session theft, making it considerably more challenging for malicious actors to exploit stolen session cookies," the company elaborated this week.

The rollout of this feature extends to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.

Google has indicated that once the feature is fully rolled out, it will be enabled by default for all Google Workspace customers, and administrators will be unable to disable it.

Historically, malicious actors have misused the undocumented Google OAuth "MultiLogin" API endpoint to create new authentication cookies after the previous ones have expired.

Additionally, the Lumma and Rhadamanthys information-stealing malware operations have claimed the capability to restore expired Google authentication cookies that were stolen in previous attacks, thereby gaining access to infected users' Google accounts.

In response, Google previously advised users to eliminate malware from their devices and suggested enabling Chrome's Enhanced Safe Browsing security mode to protect against phishing and malware threats.

With the introduction of the Chrome Device Bound Session Credentials (DBSC) security feature, it is expected to considerably hinder malicious actors from exploiting stolen cookies, as access to the necessary cryptographic keys will not be available to them.