Chrome combats cookie theft through device-bound session credentials

April 3, 2024
1 min read




Chrome to Fight Cookie Theft With Device Bound Session Credentials – Summary

TLDR:

  • Google is introducing Device Bound Session Credentials (DBSC) to Chrome to protect users against cookie theft.
  • DBSC uses a pair of public and private keys to secure browser sessions and reduce the success rate of cookie theft malware.

Google is introducing new user protection features to Chrome with Device Bound Session Credentials (DBSC) to combat cookie theft. Developed by the Web Incubator Community Group (WICG), DBSC uses authentication with a private key to keep user sessions secure. Cookies, small pieces of code created by websites and stored on devices, can be abused to compromise accounts if stolen, allowing attackers to bypass two-factor authentication. DBSC associates the session with a pair of public and private keys stored on the device, making it difficult for cookie theft malware to succeed. Google is currently testing a DBSC prototype on Google Accounts in Chrome Beta and plans to make it available to both consumers and enterprise users by the end of 2024. With DBSC, users can expect improved account security and protection against cookie theft.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and