Internet cookies are not just ‌annoying pop-ups that websites use to comply with GDPR. They are a ⁢fundamental tool for‌ websites to identify ‌specific users. However, the theft⁢ and spoofing of these cookies have become a popular ‌method for identity theft attacks. Google’s ‌latest Chrome update aims to enhance the security‍ of‍ these cookies.

Understanding Cookie ⁤Theft

As detailed​ in a , stealing a user’s authentication cookies through social ⁢engineering can allow an​ attacker to simulate a logged-in ‍session from a remote location. For instance, a user might click on a phishing⁢ email disguised as a message‍ from ⁣their CEO,⁤ which installs a​ background process that monitors their ‌browser. When the user logs into their​ bank ​account,⁣ the process steals the active cookie from their browser, allowing the attacker ​to impersonate the user ‍and simulate the active login session.

Google’s⁤ Solution:⁤ Device Bound‍ Session ⁣Credentials

Google’s solution to this problem is the development of‍ Device Bound Session Credentials (DBSC). The ​company is developing DBSC as ⁢an open-source tool, with⁢ the hope ​that it will ‍become⁣ a widely-used web standard. The‌ concept behind DBSC is that, in addition to a tracking cookie‌ identifying a user, the browser uses ⁤additional data​ to⁣ tie that ⁣session to a ⁢specific ‍device. This makes it difficult for the session to be spoofed on another machine.

This is achieved using a public/private key created ⁣by a Trusted‌ Platform ​Module (TPM)⁤ chip.​ Most modern devices sold in recent years have hardware that ‍can accomplish‌ this, such as Google’s Titan chips in Android phones and Chromebooks. By allowing secure servers to tie ‌browser‌ activity to a TPM, it creates a session and ‍device pair that can’t be ‍duplicated by another user, even if they manage to steal the relevant cookie.

Privacy Concerns

While this might⁣ raise‌ privacy concerns, especially from a company that recently had to delete data it was tracking from browsers in Incognito mode, the Chromium blog post assures that the DBSC system doesn’t allow correlation from session to ‌session. Each session-device pairing is unique, and the only‌ information sent to the server is ⁢the per-session public ⁣key, which the server‍ uses to certify proof of⁣ key possession later.

Google reports that ‌other browser ‌and web companies, including Microsoft’s Edge ‍team and ⁢identity management company Okta, ⁤are interested in this new security tool. ‍DBSC is currently being ⁢trialed ​in⁣ Chrome version 125 and later.