This article was originally published at: https://blockeditorial.com/chrome-solution-to-cookie-theft/
Understanding Cookie Theft
As detailed in a , stealing a user’s authentication cookies through social engineering can allow an attacker to simulate a logged-in session from a remote location. For instance, a user might click on a phishing email disguised as a message from their CEO, which installs a background process that monitors their browser. When the user logs into their bank account, the process steals the active cookie from their browser, allowing the attacker to impersonate the user and simulate the active login session.
Google’s Solution: Device Bound Session Credentials
Google’s solution to this problem is the development of Device Bound Session Credentials (DBSC). The company is developing DBSC as an open-source tool, with the hope that it will become a widely-used web standard. The concept behind DBSC is that, in addition to a tracking cookie identifying a user, the browser uses additional data to tie that session to a specific device. This makes it difficult for the session to be spoofed on another machine.
This is achieved using a public/private key created by a Trusted Platform Module (TPM) chip. Most modern devices sold in recent years have hardware that can accomplish this, such as Google’s Titan chips in Android phones and Chromebooks. By allowing secure servers to tie browser activity to a TPM, it creates a session and device pair that can’t be duplicated by another user, even if they manage to steal the relevant cookie.
Privacy Concerns
While this might raise privacy concerns, especially from a company that recently had to delete data it was tracking from browsers in Incognito mode, the Chromium blog post assures that the DBSC system doesn’t allow correlation from session to session. Each session-device pairing is unique, and the only information sent to the server is the per-session public key, which the server uses to certify proof of key possession later.
Google reports that other browser and web companies, including Microsoft’s Edge team and identity management company Okta, are interested in this new security tool. DBSC is currently being trialed in Chrome version 125 and later.
This article was originally published at: https://blockeditorial.com/chrome-solution-to-cookie-theft/