Google Chrome Adds Infostealer Protection Against Session Cookie Theft
Google Chrome Adds Infostealer Protection Against Session Cookie Theft 🚀
Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. macOS users will benefit from this security feature in a future Chrome release that has yet to be announced.
The new protection, announced in 2024, works by cryptographically linking a user’s session to their specific hardware, such as a computer’s security chip - the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS. Since the unique public/private keys for encrypting and decrypting sensitive data are generated by the security chip, they cannot be exported from the machine. This prevents attackers from using stolen session data because the unique private key protecting it cannot be exported from the machine.
Threat actors use specialized malware called infostealer to collect session cookies, which act as authentication tokens, typically with a longer validity time. Google says that multiple infostealer malware families, like LummaC2, have become increasingly sophisticated at harvesting these credentials, allowing hackers to gain access to users’ accounts. Google states, “Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system.”
Regarding the DBSC mechanism, Google explains, “The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the corresponding private key to the server.” Without this key, any exfiltrated session cookie expires and becomes useless to an attacker almost immediately. The DBSC protocol was built to be private by design, with each session being backed by a distinct key, preventing websites from correlating user activity across multiple sessions or sites on the same device. Additionally, the protocol enables minimal information exchange that requires only the per-session public key necessary to certify proof of possession, and does not leak device identifiers. In a year of testing an early version of DBSC in partnership with multiple web platforms, including Okta, Google observed a notable decline in session theft events.
Google partnered with Microsoft for developing the DBSC protocol as an open web standard. Websites can upgrade to the more secure, hardware-bound sessions by adding dedicated registration and refresh endpoints to their backends without sacrificing compatibility with the existing frontend. Web developers can turn to Google’s guide for DBSC implementation details, with specifications available on the World Wide Web Consortium (W3C) website, and an explainer found on GitHub.