Google has a new way to try and stop cookie theft leading to possible cyberattacks

HTTPS in a browser address bar
(Image credit: Shutterstock)

Google wants to put an end to browser cookie theft by making today’s cookies practically worthless.

In an announcement on its Chromium blog, Google revealed it is working on a new model that binds user sessions to the actual devices, rather than the browser. That should give antivirus solutions and other endpoint protection tools a better fighting chance against hackers.

Lately, cookies have become a popular target for threat actors, as they grant access to various accounts, even with multi-factor authentication (MFA) enabled. They can be extracted with infostealing malware and, even if a subsequent antivirus scan removes it, will remain active and useful to the attackers.

Substantial reduction

To tackle the problem, Google’s engineering team is working on something they call Device Bound Session Credentials (DBSC), a new web capability “that will help keep users more secure against cookie theft”. 

The project is being developed in the open at github.com/WICG/dbsc, Google said, adding that the goal is for the project to become an open web standard. 

BDSC will bind authentication sessions to the actual device, rendering cookies practically worthless. “We think this will substantially reduce the success rate of cookie theft malware,” Google said. Furthermore, for account theft to work in the new environment, the attackers would need to act locally, on the device, which will be somewhat more difficult due to antivirus and other protection tools. 

Finally, Google added that many server providers, identity providers, and browsers, said they were interested in the project, as well. “We are engaging with all interested parties to make sure we can present a standard that works for different kinds of websites in a privacy preserving way.”

Eliminating cookie theft would definitely improve the security standing of many organizations, but we’re fairly certain threat actors would again find a way to compromise user accounts.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS