Google Chrome Update Disrupts Infostealer Cookie Theft

Summary

Google has released Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, a security feature that binds login sessions to hardware security chips (TPM) to prevent infostealers from using stolen session cookies. The feature uses short-lived cookies linked to device-specific keys that cannot be exfiltrated, effectively blocking cookie-based account hijacking even if malware compromises a device. Google collaborated with Microsoft and saw reduced successful attacks during early testing, with macOS support planned.

Full text

Security MalwareGoogle Chrome Update Disrupts Infostealer Cookie Theft Google adds Device Bound Session Credentials (DBSC) to Chrome 146, using hardware keys to block infostealer use of stolen session cookies on Windows. byDeeba AhmedApril 11, 20262 minute read Google has launched a new security feature for Chrome on Windows to prevent session theft by hackers. This update, called Device Bound Session Credentials (DBSC), is now available for Chrome 146 users. It aims to solve a common problem where scammers use infostealer malware to steal session cookies from a computer. Cookies are basically small files that websites use to remember you, so you don’t have to log in every time. Google’s Chrome and Account Security teams noted in the official Google Security blog that “session theft typically occurs when a user inadvertently downloads malware onto their device.” If a hacker steals these cookies, they can hijack your accounts without needing your password. Researchers explain that this “cookie exfiltration” is difficult to thwart because when malware like LummaC2 or Vidar compromises a device, it can easily see the files and memory where the browser stores this information. “DBSC fundamentally changes the web’s capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users’ accounts,” explained the Google Account Security team. How the new security works The new system addresses this issue by linking your login session directly to your computer using a special security chip inside your machine, known as the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS. The browser creates a unique public/private key pair that stays on your computer and cannot be moved to another device. Now, when you use a website, Chrome has to prove it has that private key before the server will give it a new cookie. These cookies are also short-lived, which is an important feature because a hacker cannot steal the key from your hardware; any cookies they do manage to grab will expire and become useless almost immediately. Google has already seen a drop in successful attacks during ‘Origin Trials’ (early testing) in collaboration with other web platforms like Okta, the blog post reveals. DBSC mechanism explained (Source: Google) Protecting privacy and national security Google worked with Microsoft to make sure this new tech doesn’t track users, and each website gets a different key. This means companies cannot use this feature to fingerprint devices or to track your online activity across different sites. While Windows users have the update now, Google plans to bring it to macOS soon. This update arrives at a critical time, given that infostealers mainly rely on simple human error to succeed and not complex hacking. Last year, Hackread.com reported that over 30 million computers worldwide had been infected, with one-in-five devices holding sensitive corporate details. The targets included high-profile organisations like the Pentagon, the FBI, and major defence contractors like Lockheed Martin and Honeywell. In those instances, hackers stole credentials and session cookies to sell access to military and government files for as low as $10. Through DBSC, Google hopes to stop hackers from bypassing two-factor authentication with stolen data and prevent similar security breaches. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ChromeCookieCybersecurityDBSCGoogleInfostealerMalware Leave a Reply Cancel reply View Comments (0) Related Posts Security Cyber Attacks Cyber Crime Malware Air-conditioned apocalypse: A blackout scenario involving smart climate control devices Science fiction movies often depict various situations related to cybercriminals’ activity. These can include predicaments where threat actors… byDavid Balaban Read More Artificial Intelligence Security Mozilla 0Din Warns of ChatGPT Sandbox Flaws Enabling Python Execution Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI… byWaqas Malware Security Cloud video platform abused in web skimmer attack against real estate sites New Web Skimmer Campaign Exploiting Cloud Video Distribution Supply Chain to Target Real Estate Sites. byDeeba Ahmed Cyber Crime Malware Scams and Fraud Security Two hackers arrested after a decade of selling malware Ruslan Bondars and Jurijs Martisevs were identified as the main culprits behind a crime in which they were… byJahanzaib Hassan

Indicators of Compromise

• malware — LummaC2
• malware — Vidar

Entities