UNIT.City — місце, де люди працюють... КРАЩЕ! Обирай свій простір просто зараз 👉

Google Chrome adds protection against session cookie theft for all users

Google announced that Chrome's Device Bound Session Credentials (DBSC) security feature is becoming publicly available and rolling out to all users to prevent account hijacking.

Leave a comment
Google Chrome adds protection against session cookie theft for all users

Google announced that Chrome's Device Bound Session Credentials (DBSC) security feature is becoming publicly available and rolling out to all users to prevent account hijacking.

DBSC, which has been in beta testing since April, was first announced in 2024. It cryptographically binds session cookies to a specific device, preventing hackers from using stolen cookies to bypass multi-factor authentication and hijack user accounts, BleepingComputer reported .

Because the unique public and private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen. This prevents attackers from using stolen session cookies.

“DBSC fundamentally changes the web’s ability to defend against this threat. It shifts the paradigm from reactive detection to proactive prevention, ensuring that successfully stolen cookies cannot be used to access user accounts,” Google said in April.

The company added this week: “DBSC strengthens account security after a user is logged in and helps tie session cookies — small files used by websites to remember information about a user — to the device from which authentication was performed. Even if the user’s device had malware, DBSC reduces the risk of session theft and makes it significantly more difficult for attackers to exploit stolen cookies.”

This feature is currently rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google Accounts.

Google added that once deployed, it will be enabled by default for all Google Workspace customers, and administrators will not be able to disable it.

In the past, attackers have abused an undocumented Google OAuth API endpoint called “MultiLogin” to create new authentication cookies after stolen ones expire.

Lumma and Rhadamanthys malware information theft operations Lumma and Rhadamanthys also claimed to be able to recover expired Google authentication cookies stolen during attacks to gain access to infected users' accounts.

At the time, Google advised customers to remove malware from their devices and recommended enabling Enhanced Safe Browsing in Chrome to protect against phishing and malware attacks.

However, the new DBSC security feature should effectively block attackers from being able to use such stolen cookies, as they will not have access to the cryptographic keys needed for them to work.

The end of the cookie era: Kyivstar, Vodafone lifecell and Ukrtelecom launched a single sovereign data platform based on myGaru
The end of the cookie era: Kyivstar, Vodafone, lifecell and Ukrtelecom launched a single sovereign data platform based on myGaru
On the topic
The end of the cookie era: Kyivstar, Vodafone, lifecell and Ukrtelecom launched a single sovereign data platform based on myGaru
The European Commission plans to loosen privacy rules for the sake of AI: data exceptions and fewer cookie banners are being prepared
The European Commission plans to loosen privacy rules for the sake of AI: data exceptions and fewer cookie banners are being prepared
On the topic
The European Commission plans to loosen privacy rules for the sake of AI: data exceptions and fewer cookie banners are being prepared
Cyber ​​​​researchers found almost 94 billion cookies for sale on the darknet
Cyber ​​​​researchers found almost 94 billion cookies for sale on the darknet
On the topic
Cyber ​​​​researchers found almost 94 billion cookies for sale on the darknet
Read the country's main IT news in our Telegram
Read the country's main IT news in our Telegram
On the topic
Read the country's main IT news in our Telegram

Have important news to share? Message our Telegram bot

Key events and useful links in our Telegram channel

Discussion
No comments yet.