Image default

New Chrome feature blocks cookie-stealing hackers

cookie monster chrome logoImage: Sesame Workshop/Google

Cookies aren’t just something sites have to annoy you about every single #$%&ing time you visit them because of the GDPR. They’re one of the most basic ways for sites to identify specific users, for better and worse. Stealing and spoofing those cookies is a popular vector for identity theft attacks, which is why the latest Chrome update tries to keep them safe.

As explained in this Chromium blog post (spotted by Bleeping Computer), stealing a user’s authentication cookies via social engineering allows someone else to simulate a logged-in session from a remote location.

An example scenario: You click on a link from your “CEO” (a phishing email with a spoofed header), which installs a background process that observes your browser. You log in to your bank, even using two-factor authentication for extra security. The process swipes the active cooking from your browser, post-login, and someone else can then pretend to be you using that cookie to simulate the active login session.

Google’s solution to the problem is Device Bound Session Credentials. The company is developing DBSC as an open-source tool, hoping that it’ll become a widely-used web standard. The basic idea is that in addition to a tracking cookie identifying a user, the browser uses additional data to tie that session to a specific device — your computer or phone — so it can’t be easily spoofed on another machine.

This is accomplished with a public/private key created by a Trusted Platform Module chip, or TPM, which you might remember from the big transition to Windows 11. Most modern devices sold in the last few years have some hardware that accomplished this, like Google’s much-promoted Titan chips in Android phones and Chromebooks. By allowing secure servers to tie browser activity to a TPM, it creates a session and device pair that can’t be duplicated by another user even if they manage to swipe the relevant cookie.

If you’re like me, that might trigger a privacy alarm in your head, especially coming from a company that recently had to delete data it was tracking from browsers in Incognito mode. The Chromium blog post goes on to say that the DBSC system doesn’t allow correlation from session to session, as each session-device pairing is unique. “The only information sent to the server is the per-session public key which the server uses to certify proof of key possession later,” says Chrome team member Kristian Monsen.

Google says that other browser and web companies are interested in this new security tool, including Microsoft’s Edge team and identity management company Okta. DBSC is currently being trialed in Chrome version 125 (in the pre-beta Chrome Dev build now) and later.

Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.

Recent stories by Michael Crider:

Update now! Chome plugs its fifth emergency zero-day exploit of 2024Ring of bogus web shops steals 850K credit card numbersIf you get a phone call from LastPass, it’s a scam

Related posts

TikTok tests 60-minute video uploads as it continues to take on YouTube


The Microsoft-Amazon deal leaves Cortana speakers with one advantage: Skype


Here’s everything Apple announced at the WWDC 2024 keynote, including Apple Intelligence, Siri makeover


Leave a Comment