Google Chrome 146 Blocks Windows Session Theft with DBSC
▼ Summary
– Google has released Device Bound Session Credentials (DBSC) for all Windows Chrome users to combat session theft, with macOS support planned.
– DBSC counters theft by cryptographically binding sessions to a device’s hardware, making stolen cookies expire and become useless.
– Session theft occurs when malware steals long-lived cookies, allowing attackers unauthorized account access without needing passwords.
– The feature uses hardware like a TPM to generate a non-exportable key and falls back to standard behavior if unsupported hardware is detected.
– Google designed DBSC as a private, open standard that prevents cross-site tracking and has already reduced session theft incidents.
Google has now rolled out its Device Bound Session Credentials (DBSC) security feature to all Windows users of Chrome 146, marking a major public release after an extensive beta testing period. This initiative is designed to directly tackle the widespread threat of session cookie theft, a primary method attackers use to hijack online accounts without needing passwords. Support for macOS is slated for a future Chrome update.
The company’s Chrome and Account Security teams highlighted the importance of this move, stating the project is a substantial advancement in fighting a persistent modern security danger. Session theft typically occurs when users accidentally install information-stealing malware, such as Atomic, Lumma, or Vidar Stealer. This malicious software harvests session cookies, which often remain valid for long periods, allowing criminals to sell or use them for unauthorized account access.
The core innovation of DBSC is its method of cryptographically binding an authentication session to the user’s specific hardware. By leveraging hardware-backed security modules like the Trusted Platform Module on Windows or the Secure Enclave on Mac, Chrome generates a unique, non-exportable key pair for the device. Subsequent short-lived session cookies are only issued after Chrome proves it holds the corresponding private key to the server. Consequently, any cookies stolen by malware quickly expire and become useless to attackers, as the private key cannot be exfiltrated.
Google notes the system includes a practical fallback. If a device lacks the necessary secure key storage, DBSC will revert to standard cookie behavior without disrupting the user’s login process. Early data since the feature’s introduction shows a significant reduction in session theft, indicating the countermeasure’s initial effectiveness.
Developed in collaboration with Microsoft with the goal of establishing an open web standard, DBSC is also engineered with privacy as a fundamental principle. The architecture ensures websites cannot use these session credentials to track a user’s activity across different sessions or sites on the same device. The protocol exchanges minimal data, providing only the essential public key required for authentication, which prevents it from enabling cross-site tracking or functioning as a device fingerprinting mechanism.
This general release is just the beginning. Google plans to expand DBSC to more devices and enhance its capabilities for deeper integration within enterprise environments, building a more secure foundation for web authentication.
(Source: Internet)
