Google Chrome Enlists Emerging DBSC Standard to Fight Cookie Theft – Source: securityboulevard.com

Google is prototyping a new technology in Chrome that is designed to thwart the growing trend among cybercriminals of stealing browser session cookies, which enables hackers to bypass multifunction authentication (MFA) protections and gain access to users’ online accounts

The tech giant this week said it is piloting the use of Device Bound Session Credentials (DBSC), which is being developed by the Web Incubator Community Group (WICG) in GitHub and is designed to tightly bind the browser authentication sessions to the user’s device via cryptographic keys.

Servers use an API from DBSC to create a session that is bound to a device and can periodically be refreshed to prove that the session continues to be bound to the original device, according to the WICG.

“By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value,” Google wrote in announcing the test. “We think this will substantially reduce the success rate of cookie theft malware.”

Through this, “attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices,” the company wrote.

The WICG’s goal is to make DBSC an open standard.

Hackers Like Cookies

Threat groups that are increasingly looking for credentials and similar information – including cookies – to hijack user accounts as part of their attacks. Websites and applications alike assign cookies or tokens to users that identify them to access a site. The information is stored on the device to make it easier for users to re-enter a site without have to go through the authentication process.

“Although this capability enables personalized and smooth experiences for everyday users, it poses a threat in the wrong hands,” Damon Fleury, chief product officer at cybercrime analytics firm SpyCloud, wrote in Forbes. “Cybercriminals using infostealer malware can exfiltrate cookies – among a plethora of other data types – from infected devices and insert them into anti-detect browsers, allowing them to appear as legitimate users in a process known as session hijacking.”

Researchers with cybersecurity vendor Malwarebytes in January wrote that some hackers had upgraded their info-stealing malware to bypass MFA defenses and gain permanent unauthorized access to Google accounts, giving them entrée to such services as Gmail, Google Maps, and YouTube.

In a blog post this week, Malwarebytes researcher Pieter Arntz wrote that Google had promised to address the problem and turned to DBSC, adding that “if the simplicity of the solution is any indication for its effectiveness, then this should be a good one.”

It also fits in well with Google’s plans to phase out third-party cookies, Arntz wrote.

Laying the Groundwork

Google had let people know in September that it intended to prototype the technology, saying that DBSC “makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to tighter operating constraints.”

The company said the DBSC API lets a server start a new session on a device with a specific browser, with the browser creating a new public and private keys on the device and using the operating system to store the private key in a way that makes it difficult to export.

“Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11, and we are looking at supporting software-isolated solutions as well,” Google wrote. “Each session is backed by a unique key and DBSC does not enable sites to correlate keys from different sessions on the same device, to ensure there’s no persistent user tracking added.”

DBSC doesn’t leak meaningful information about the device outside of the fact that the browser believes it can offer secure store. Users can delete the keys created via DBSC by deleting site data in Chrome settings.

Ramping Up Testing Through the Year

Google expects Chrome to initially support DBSC for about half of desktop users, given the hardware capabilities on their systems, though the company may support software keys regardless of those capabilities.

“This would ensure the DBSC will not let servers differentiate between users based on hardware features or device state (i.e. if a device is Play Protect certified or not),” it wrote.

Google is experimenting with a DBSC prototype on some Google Account users running Chrome Beta to gauge the reliability, feasibility, and latency of the protocol on a complex site while still protecting users. When fully deployed, both enterprise users and consumers automatically will get the upgraded security. In addition, the cloud giant hopes to enable DBSC for Google Workspace and Google Cloud customers.

The goal is to allow trials for all interested websites by the end of the year, according to Google. The company suggested companies like Microsoft – for Edge – and Okta have signaled interest in using DBSC.