Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,364
With two-factor authentication and passkeys making logins ever more secure, hackers have started to turn to the next best option to steal credentials: authentication cookies. These valuable datasets are what makes it possible for you to stay logged in on your devices for weeks and months without entering a password, but they can also be stolen and extracted, often far too easily. Google has announced that it’s working on changing that, detailing an open-source project which it hopes will become a web standard some day.
As convenient as cookies are, they carry some security risks with them. Once bad actors acquire them by deploying malware on victims’ machines, they can store and use the cookies on their own servers or sell them to other bad actors. Since authentication cookies only get generated after a successful login, there aren’t any of the usual security measures built in when they’re available for the service provider to see. Currently, there aren’t strong enough security measures in place that prevent a cookie from working on a different machine.
With Google’s proposed Device Bound Session Credentials (DBSC) API, this is supposed to change. The company wants to build a web standard that binds authentication cookies to the device they were issued on, creating a unique handshake between the website and the browser. That way, stolen cookies couldn’t be used to log into accounts anymore on other machines. This would limit hackers to using the stolen cookies on the device of their victim, making it much easier for traditional antivirus protection to stop them from wreaking havoc.
Google also wants to preserve user privacy while building this new API. Sites will not be able to use the unique keys to learn that the logins happened from the same machine. These device-bound cookies can also be deleted just like regular cookies right in the browser. Google says that the “only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”
Google wants to stop cookie theft once and for all
We’re talking about authentication cookies on the web here, om nom nom
www.androidpolice.com