Technology Google wants to stop cookie theft once and for all

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,610
Content source
https://www.androidpolice.com/google-stop-cookie-theft-browsers/
With two-factor authentication and passkeys making logins ever more secure, hackers have started to turn to the next best option to steal credentials: authentication cookies. These valuable datasets are what makes it possible for you to stay logged in on your devices for weeks and months without entering a password, but they can also be stolen and extracted, often far too easily. Google has announced that it’s working on changing that, detailing an open-source project which it hopes will become a web standard some day.

As convenient as cookies are, they carry some security risks with them. Once bad actors acquire them by deploying malware on victims’ machines, they can store and use the cookies on their own servers or sell them to other bad actors. Since authentication cookies only get generated after a successful login, there aren’t any of the usual security measures built in when they’re available for the service provider to see. Currently, there aren’t strong enough security measures in place that prevent a cookie from working on a different machine.

With Google’s proposed Device Bound Session Credentials (DBSC) API, this is supposed to change. The company wants to build a web standard that binds authentication cookies to the device they were issued on, creating a unique handshake between the website and the browser. That way, stolen cookies couldn’t be used to log into accounts anymore on other machines. This would limit hackers to using the stolen cookies on the device of their victim, making it much easier for traditional antivirus protection to stop them from wreaking havoc.

Google also wants to preserve user privacy while building this new API. Sites will not be able to use the unique keys to learn that the logins happened from the same machine. These device-bound cookies can also be deleted just like regular cookies right in the browser. Google says that the “only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”
Click to expand...
www.androidpolice.com

Google wants to stop cookie theft once and for all

We’re talking about authentication cookies on the web here, om nom nom
www.androidpolice.com www.androidpolice.com
 
  • Like
  • Applause
  • Wow
Reactions: Jack, LoLs, Nevi and 13 others

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Security News Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
Replies
1
Views
1,736
Security News
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
    • Applause
Technology Cookie Pledge: EU admits that cookie banners are annoying, suggests remedy
Replies
1
Views
441
Technology News
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Wow
AdGuard Blog: Microsoft Edge is getting rid of third-party cookies. What about their replacement?
Replies
14
Views
577
Microsoft Edge
Morro
Morro

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top