Photo: In Green / Shutterstock.com
To counter the growing threat of cookie theft malware, Google has rolled out the Device Bound Credentials (DBSC) feature, which will bolster security measures and protect users’ online accounts from malicious attacks.
Cookies are small files used by websites to enhance user experience. Due to their ability to store valuable browsing information, cookies have become a prime target for cyber attacks.
Attackers often deploy cookie theft malware to gain unauthorised access to users’ web accounts, bypassing traditional security measures like two-factor authentication.
The operators of Malware-as-a-Service (MaaS) platforms frequently employ social engineering tactics to propagate cookie theft malware. They convince users to overlook multiple security warnings and inadvertently install the malware on their devices. Once installed, the malware exfiltrates authentication cookies from web browsers to remote servers, allowing attackers to compromise and sell user accounts.
DBSC works by binding authentication sessions to users’ devices, rendering stolen cookies useless and thwarting attackers’ efforts to exploit them for illicit gains.
The DBSC API facilitates the creation of a new session with specific browsers on devices. It generates unique public/private key pairs locally and securely stores private keys using advanced technologies like Trusted Platform Modules (TPMs). This ensures that sessions are tied to the device and verifies possession of private keys throughout the session, enhancing security without compromising user privacy.
Moreover, DBSC’s out-of-band refresh mechanism for short-lived cookies minimises disruptions to existing web infrastructure, making it a practicable and scalable solution for websites of all sizes.
The initiative emphasises industry collaboration and user privacy, with measures in place to prevent persistent user tracking and protect sensitive devices.
“We expect Chrome will initially support DBSC for roughly half of desktop users, based on the current hardware capabilities of users’ machines. We are committed to developing this standard in a way that ensures it will not be abused to segment users based on client hardware,” the company said.
Initial trials of DBSC within Google Chrome Beta showcase promising results, indicating enhanced security for Google Account users and paving the way for broader adoption across various platforms and services.
Industry leaders, including server and identity providers, have expressed keen interest in implementing DBSC to fortify their security protocols and safeguard users against evolving cyber threats.
In the News: LLMs are vulnerable to ‘many-shot jailbreaking’: Research
