How Google plans to make stolen session cookies worthless for attackers
Google is working on a new security feature for Chrome called Device Bound Session Credentials (DBSC), meant to prevent attackers from using stolen session cookies to gain access user accounts.
Session (i.e., authentication) cookies are stored by browsers when a user logs into web resources. Getting ahold of them allows attackers to mount “pass-the-cookie” attacks by injecting stolen access tokens into new web sessions and thus “impersonating” the original user without having to authenticate themselves.
Disrupting the cookie theft ecosystem
For a while now, attackers have been stealing session cookies – usually with malware – so they can bypass multi-factor authentication.
DBSC intends to bind authentication sessions to the device, so that stolen cookies become worthless for the attackers unless they are able to act locally on the device. But if they are forced to do that, their presence is more likely to be detected, says Kristian Monsen, a senior software engineer with Google’s Chrome Counter Abuse team.
“At a high level, the DBSC API lets a server start a new session with a specific browser on a device. When the browser starts a new session, it creates a new public/private key pair locally on the device, and uses the operating system to safely store the private key in a way that makes it hard to export,” he explained.
“Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11, and we are looking at supporting software-isolated solutions as well.”
Each session will be associated with a public key. Servers can check whether the user/device accessing the resource has the private key, and will do so throughout the session lifetime to make sure the session is still on the same device.
“To make this feasible from a latency standpoint and to aid migrations of existing cookie-based solutions, DBSC uses these keys to maintain the freshness of short-lived cookies through a dedicated DBSC-defined endpoint on the website. This happens out-of-band from regular web traffic, reducing the changes needed to legacy websites and apps,” Monsen added.
No online tracking
These keys can’t be used to track users online, Monsen assures, as DBSC does not enable sites to correlate keys from different sessions on the same device. Also, users will be able to delete the keys whenever they want.
“DBSC will be fully aligned with the phase-out of third-party cookies in Chrome. In third-party contexts, DBSC will have the same availability and/or segmentation that third-party cookies will, as set by user preferences and other factors. This is to make sure that DBSC does not become a new tracking vector once third-party cookies are phased out, while also ensuring that such cookies can be fully protected in the meantime,” he noted.
“If the user completely opts out of cookies, third-party cookies, or cookies for a specific site, this will disable DBSC in those scenarios as well.”
DBSC: An open web standard?
This feature is still in the work and experimental, limited to some users running Chrome Beta, and Google’s plan is to make it available for developers to try out by the end of the year.
Google also hopes that DBSC will become an open web standard.
“Many server providers, identity providers (IdPs) such as Okta, and browsers such as Microsoft Edge have expressed interest in DBSC as they want to secure their users against cookie theft. We are engaging with all interested parties to make sure we can present a standard that works for different kinds of websites in a privacy preserving way,” Monsen shared.