Google Introduces New Chrome Feature to Combat Cookie Hijacking

Penka Hristovska
Penka Hristovska Senior Editor
Updated on: April 10, 2024
Penka Hristovska Penka Hristovska
Updated on: April 10, 2024 Senior Editor

Google has developed a new prototype feature for the Chrome browser, aimed at combating hacking attempts that use malware to steal browser cookies and hijack online accounts.

The new technology, named “Device Bound Session Credentials,” uses encryption to block hackers from hijacking login sessions via cookie theft.

Internet cookies are small text files stored on your computer by your web browser. They help websites remember your preferences, like login details, so you don’t have to re-enter them every time you visit. However, these cookies become a security vulnerability if a hacker infects your computer with malware, as they can easily steal these cookies to access your online accounts without needing your password.

“Cookie theft like this happens after login, so it bypasses two-factor authentication and any other login-time reputation checks,” Google software engineer Kristian Monsen explains in a blog post. “It’s also difficult to mitigate via antivirus software since the stolen cookies continue to work even after the malware is detected and removed.”

To address this issue, Google is working on a way to “bind” authentication cookies to the user’s PC, a strategy that involves incorporating public key cryptography with the cookies. This means that whenever a browser initiates a new login session, it will generate an encryption key right on the user’s PC. This key is used to confirm that the login is legitimate directly with the website’s server, adding an extra layer of security to thwart unauthorized access.

To ensure the encryption keys are secure, Google plans to store them within a Windows PC’s Trusted Platform Module (TPM) chip. This chip is purpose-built for safeguarding cryptographic keys and verifying the integrity of the operating system — and it’s now a requirement for running Windows 11.

A website can then confirm the authenticity of an authentication cookie by using an API that checks the legitimacy of the encryption key associated with a login session, ensuring that the session is secure and authorized.

“This ensures the session is still on the same device, enforcing it at regular intervals set by the server,” Monsen said. “We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.”

Google aims to make this project an “open web standard,” enhancing security for all users across the web, and plans on having a fully operational trial of this technology ready by the end of 2024.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor
Updated on: April 10, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment