GoKawiilGoogle has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies.
macOS users will benefit from this security feature in a future Chrome release that has yet to be announced.
The new protection has been announced in 2024, and it works by cryptographically linking a user's session to their specific hardware, such as a computer's security chip - the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS.
Since the unique public/private keys for encrypting and decrypting sensitive data are generated by the security chip, they cannot be exported from the machine.
This prevents the attacker from using stolen session data because the unique private key protecting it cannot be exported from the machine.
“The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the corresponding private key to the server,” Google says in an announcement today.
Without this key, any exfiltrated session cookie expires and becomes useless to an attacker almost immediately.
Browser-server interaction in the context of the DBSC protocol
source: Google
A session cookie acts as an authentication token, typically with a longer validity time, and is created server-side based on your username and password.
... continue reading