Google has introduced a new Chrome security feature called “Device Bound Session Credentials” (DBSC). This feature ties cookies to a specific device, preventing hackers from stealing and using them to take over user accounts.

Understanding cookies and cookie-stealing malware

Cookies are small files that websites use to store browsing information, making online experiences easier. However, they are also targeted by hackers for unauthorized access to accounts.

Hackers often use malware to steal cookies, gaining access to user accounts. Malware-as-a-service operators spread this type of malware through social engineering, convincing users to install it.

Once installed, the malware extracts authentication cookies, allowing attackers to sell compromised accounts.

Presentation of Device Bound Session Credentials (DBSC)

To address this issue, Google is developing a new web capability known as Device Bound Session Credentials (DBSC).

By associating authentication sessions with the device, DBSC aims to disrupt the cookie-stealing industry, rendering stolen cookies useless.

This change forces attackers to operate locally on the device, facilitating more effective detection and cleanup efforts. Key features include:

Technical solution: DBSC

At its core, the DBSC API allows servers to initiate sessions with specific browsers on devices. Each session generates a unique public/private key pair stored securely on the device, making it challenging for attackers to exploit.

This solution uses Trusted Platform Modules (TPM) for key protection and maintains the freshness of short-lived cookies through a dedicated endpoint defined by DBSC.

  • Preserving user privacy: DBSC protects user privacy by preventing sites from correlating keys from different sessions on the same device. Users can remove keys at any time and DBSC does not disclose device information beyond its ability to provide secure storage.
  • Improved user protection: Google is experimenting with DBSC to protect Chrome Beta users. Once fully deployed, DBSC will improve the security of Google accounts automatically, benefiting both consumers and business users.
See also  Dell Alienware m16 R2 gaming laptop launched in India

While still in the prototype stage, DBSC can be tested by enabling the “enable bound session credentials” flag in Chromium-based browsers.

Interest beyond Google

Several server vendors, identity providers (IdPs) and browsers have shown interest in DBSC, highlighting the industry's broader support for enhanced security measures.

Google is actively working with stakeholders to develop a standard that fits various types of websites while preserving user privacy.


Development updates and announcements about DBSC are available on GitHub.

Google aims to make it easier to verify the origin of interested websites by the end of 2024 and invites participation and feedback from all parties interested in strengthening online security.

Source | road

For the Latest Jobs And Information Visit: Mksjobs.Com

Aslo Read:

Mobile Updates:

Daily Update: