Technology Google wants to stop cookie theft once and for all

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,364
With two-factor authentication and passkeys making logins ever more secure, hackers have started to turn to the next best option to steal credentials: authentication cookies. These valuable datasets are what makes it possible for you to stay logged in on your devices for weeks and months without entering a password, but they can also be stolen and extracted, often far too easily. Google has announced that it’s working on changing that, detailing an open-source project which it hopes will become a web standard some day.

As convenient as cookies are, they carry some security risks with them. Once bad actors acquire them by deploying malware on victims’ machines, they can store and use the cookies on their own servers or sell them to other bad actors. Since authentication cookies only get generated after a successful login, there aren’t any of the usual security measures built in when they’re available for the service provider to see. Currently, there aren’t strong enough security measures in place that prevent a cookie from working on a different machine.

With Google’s proposed Device Bound Session Credentials (DBSC) API, this is supposed to change. The company wants to build a web standard that binds authentication cookies to the device they were issued on, creating a unique handshake between the website and the browser. That way, stolen cookies couldn’t be used to log into accounts anymore on other machines. This would limit hackers to using the stolen cookies on the device of their victim, making it much easier for traditional antivirus protection to stop them from wreaking havoc.

Google also wants to preserve user privacy while building this new API. Sites will not be able to use the unique keys to learn that the logins happened from the same machine. These device-bound cookies can also be deleted just like regular cookies right in the browser. Google says that the “only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,198
Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in this area including Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection to flag the use of stolen cookies. Today, we’re announcing another layer of protection to make Windows users safer from this type of malware.

Like other software that needs to store secrets, Chrome currently secures sensitive data like cookies and passwords using the strongest techniques the OS makes available to us - on macOS this is the Keychain services, and on Linux we use a system provided wallet such as kwallet or gnome-libsecret. On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks. However, the DPAPI does not protect against malicious applications able to execute code as the logged in user - which infostealers take advantage of.

In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives. Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS.
 

Wrecker4923

Level 1
Apr 11, 2024
34
It seems Google is implementing something on Windows for Chrome that should be an OS service that would benefit ALL the apps that need to keep credentials/secrets. Are we going to end up with apps/browsers implementing their own elevated-privilege system service, or is Microsoft going to do something about THIS challenge? So odd that it's all quiet in Redmond, or I must be misreading something.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top