Google Chrome Implements Device Bound Session Credentials to Combat Cookie Theft

Severity: High (Score: 67.5)

Sources: Feeds.Feedburner, Bleepingcomputer, Feeds2.Feedburner

Summary

Google has launched Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, aimed at preventing session cookie theft by infostealer malware. This security feature, which will extend to macOS in a future release, cryptographically binds session cookies to specific hardware, utilizing security chips like the Trusted Platform Module (TPM) and Secure Enclave. By generating unique public/private key pairs that cannot be exported, DBSC ensures that any exfiltrated session cookies quickly expire, rendering them useless to attackers. The DBSC protocol was developed in collaboration with Microsoft and tested with various web platforms, showing a notable decline in session theft incidents. Infostealer malware, such as LummaC2, has become increasingly sophisticated in harvesting session cookies, allowing unauthorized access to user accounts without passwords. The proactive nature of DBSC marks a significant shift from traditional reactive security measures. Google emphasizes that this approach mitigates the risks associated with session theft more effectively than previous methods. Key Points: • DBSC protects session cookies by binding them to specific hardware, preventing theft. • Infostealer malware like LummaC2 exploits session cookies to access accounts without passwords. • The protocol has shown a decline in session theft incidents during its testing phase.

Key Entities

• Malware (attack_type)
• LummaC2 (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1555.003 - Credentials From Web Browsers (mitre_attack)
• Chrome (tool)
• MacOS (platform)
• Secure Enclave (platform)
• Trusted Platform Module (platform)
• Windows (platform)