Google Enhances Chrome Security with Device-Bound Sessions

Google Enhances Chrome Security with Device-Bound Sessions

Posted on By CWS

Google has taken a significant step forward in enhancing browser security with the introduction of Device Bound Session Credentials (DBSC) for Chrome users on Windows. This development, announced by the Google Account Security and Chrome teams, aims to prevent session hijacking—a common method used by attackers to gain unauthorized access to user accounts.

Strengthening Security Measures

The new feature is expected to roll out to macOS soon, representing a shift from reactive threat detection to proactive prevention in the industry. Traditionally, session theft occurs when a user inadvertently downloads malware like the LummaC2 family, which scans the browser’s stored session cookies. These cookies can be exploited by threat actors to bypass authentication processes.

Historically, preventing malware from accessing browser memory through software alone has been challenging. Security teams have often had to rely on post-breach detection methods. However, the introduction of DBSC aims to change this dynamic by tying authentication sessions directly to a user’s physical device, using hardware-backed security measures.

How DBSC Works

DBSC uses hardware security modules such as the Trusted Platform Module (TPM) or Secure Enclave to generate a unique public-private key pair during login. The private key remains securely stored on the device and cannot be accessed externally. Websites supporting DBSC issue short-lived cookies, requiring Chrome to continually validate its possession of the private key.

This approach renders stolen session cookies ineffective, as they expire quickly without the associated hardware key. The integration of DBSC is designed to be seamless for developers, with Chrome managing the cryptographic processes in the background.

Privacy and Future Developments

Despite its robust security capabilities, DBSC is built with privacy in mind. Each session uses a separate key, ensuring that websites cannot track users across different sites or correlate their browsing habits. This minimizes the potential for device fingerprinting while maintaining security.

Google worked alongside the W3C Web Application Security Working Group and partners like Microsoft to develop DBSC as an open web standard. The company plans to broaden DBSC’s application to safeguard federated identity and Single Sign-On (SSO) environments. Additionally, efforts are underway to enhance registration options with existing hardware security keys and explore software-based key support for devices lacking physical security hardware.

Stay informed with the latest cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to share your stories.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

WhatsApp Users Targeted by Spyware in Italy WhatsApp Users Targeted by Spyware in Italy Cyber Security News
Enhancing Early Threat Detection in SOCs with Limited Staff Enhancing Early Threat Detection in SOCs with Limited Staff Cyber Security News
Chrome High-Severity Vulnerability Let Attackers Crash Browser or Execute Arbitrary Code Chrome High-Severity Vulnerability Let Attackers Crash Browser or Execute Arbitrary Code Cyber Security News
Malicious OpenVSX Extension Infects Multiple Code Editors Malicious OpenVSX Extension Infects Multiple Code Editors Cyber Security News
SuperClaw Enhances AI Security Testing with Open-Source Framework SuperClaw Enhances AI Security Testing with Open-Source Framework Cyber Security News
Iran’s Internet Shutdown Enters 10th Day, Traffic Severely Restricted Iran’s Internet Shutdown Enters 10th Day, Traffic Severely Restricted Cyber Security News