Google plans to eliminate cookie theft on Chrome using a new feature

Google seeks to block cookie theft on the Chrome browser, a common technique used by cybercriminals. For this, the American company is introducing a new authentication standard on devices.

Google is working on a new security feature for its Chrome browser. In a press release published on April 2 on the blog of the company, the tech giant announces that it wants to set up a “Device Bound Session Credentials (DBSC)”, or in French “session identifiers attached to the device”, intended to prevent the theft of session cookies .

Advertisement

Concretely, when you authenticate on a site, a cookie (or connection cookie) is stored in the web browser. This identifier can be obtained by hackers, by infiltrating the target's system or by tricking them with a fake site. This ID can then be reused to log in to other accounts.

Cookie theft has become an increasingly used method, particularly during recent phishing campaigns. For example, cybercriminals send a false double authentication message to retrieve the famous connection cookie and authenticate themselves in place and without the victim's knowledge.

A fake QR Code allegedly sent by Microsoft. // Source: Vade
A fake QR Code allegedly sent by Microsoft will allow the authentication cookie to be stolen. // Source: Vade

A future cybersecurity standard?

Google's upcoming DBSC feature is thought to end this technique by tying authentication sessions to a device. The connection with the server will be made with an encrypted key stored on the computer or smartphone using a dedicated interface.

In fact, stealing a cookie online will no longer make sense since it can only be activated by the device, unless the attacker has access to it. Except that ” its presence is more likely to be detected if it attacks the device directly “, says Kristian Monsen, an engineer at Google responsible for countering abuse exploiting Chrome.

Advertisement

Regarding user privacy, DBSC should not disclose any significant device information. The only information sent to the server is the public key per session to later certify proof of ownership of the object.

Additionally, users will be able to delete keys whenever they want. Google wants to make DBSC an open web standard. You can follow the work of the American company on github.com/WICG/dbsc. Microsoft, Okta and other identity providers have expressed interest in the standard. Google aims for deployment by end of 2024.


Advertisement