Cookies aren’t just something sites have to annoy you about every single #$%&ing time you visit them because of the GDPR. They’re one of the most basic ways for sites to identify specific users, for better and worse. Stealing and spoofing those cookies is a popular vector for identity theft attacks, which is why the latest Chrome update tries to keep them safe.
As explained in this Chromium blog post (spotted by Bleeping Computer), stealing a user’s authentication cookies via social engineering allows someone else to simulate a logged-in session from a remote location.
An example scenario: You click on a link from your “CEO” (a phishing email with a spoofed header), which installs a background process that observes your browser. You log in to your bank, even using two-factor authentication for extra security. The process swipes the active cooking from your browser, post-login, and someone else can then pretend to be you using that cookie to simulate the active login session.
Google’s solution to the problem is Device Bound Session Credentials. The company is developing DBSC as an open-source tool, hoping that it’ll become a widely-used web standard. The basic idea is that in addition to a tracking cookie identifying a user, the browser uses additional data to tie that session to a specific device — your computer or phone — so it can’t be easily spoofed on another machine.
This is accomplished with a public/private key created by a Trusted Platform Module chip, or TPM, which you might remember from the big transition to Windows 11. Most modern devices sold in the last few years have some hardware that accomplished this, like Google’s much-promoted Titan chips in Android phones and Chromebooks. By allowing secure servers to tie browser activity to a TPM, it creates a session and device pair that can’t be duplicated by another user even if they manage to swipe the relevant cookie.
If you’re like me, that might trigger a privacy alarm in your head, especially coming from a company that recently had to delete data it was tracking from browsers in Incognito mode. The Chromium blog post goes on to say that the DBSC system doesn’t allow correlation from session to session, as each session-device pairing is unique. “The only information sent to the server is the per-session public key which the server uses to certify proof of key possession later,” says Chrome team member Kristian Monsen.
Google says that other browser and web companies are interested in this new security tool, including Microsoft’s Edge team and identity management company Okta. DBSC is currently being trialed in Chrome version 125 (in the pre-beta Chrome Dev build now) and later.