Google has developed a new prototype feature for the Chrome browser, aimed at combating hacking attempts that use malware to steal browser cookies and hijack online accounts.
The new technology, named “Device Bound Session Credentials,” uses encryption to block hackers from hijacking login sessions via cookie theft.
Internet cookies are small text files stored on your computer by your web browser. They help websites remember your preferences, like login details, so you don’t have to re-enter them every time you visit. However, these cookies become a security vulnerability if a hacker infects your computer with malware, as they can easily steal these cookies to access your online accounts without needing your password.
“Cookie theft like this happens after login, so it bypasses two-factor authentication and any other login-time reputation checks,” Google software engineer Kristian Monsen explains in a blog post. “It’s also difficult to mitigate via antivirus software since the stolen cookies continue to work even after the malware is detected and removed.”
To address this issue, Google is working on a way to “bind” authentication cookies to the user’s PC, a strategy that involves incorporating public key cryptography with the cookies. This means that whenever a browser initiates a new login session, it will generate an encryption key right on the user’s PC. This key is used to confirm that the login is legitimate directly with the website’s server, adding an extra layer of security to thwart unauthorized access.
To ensure the encryption keys are secure, Google plans to store them within a Windows PC’s Trusted Platform Module (TPM) chip. This chip is purpose-built for safeguarding cryptographic keys and verifying the integrity of the operating system — and it’s now a requirement for running Windows 11.
A website can then confirm the authenticity of an authentication cookie by using an API that checks the legitimacy of the encryption key associated with a login session, ensuring that the session is secure and authorized.
“This ensures the session is still on the same device, enforcing it at regular intervals set by the server,” Monsen said. “We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”
Google aims to make this project an “open web standard,” enhancing security for all users across the web, and plans on having a fully operational trial of this technology ready by the end of 2024.