Home / Technology / Chrome's New Feature Kills Cookie Theft
Chrome's New Feature Kills Cookie Theft
10 Apr
Summary
- Google Chrome now binds session cookies to hardware.
- This prevents session hijacking via stolen cookies.
- The feature is live on Windows, with macOS soon.
Google Chrome has rolled out a significant security enhancement for Windows users, introducing Device Bound Session Credentials (DBSC). This new feature cryptographically binds authentication sessions to the user's physical device, effectively rendering stolen session cookies useless.
DBSC leverages hardware-backed security modules, like Windows' Trusted Platform Module, to generate unexportable public/private key pairs. The issuance of new session cookies is contingent upon Chrome verifying possession of the corresponding private key to the server, thus thwarting cybercriminals who rely on infostealing malware.
This development addresses the growing threat of session cookie theft, which bypasses multi-factor authentication. While the feature is live on Windows, Google plans to release a macOS variant in the coming weeks. An earlier version observed a significant reduction in session theft.
