Identity, Application security, Malware

Novel anti-cookie theft feature in Chrome detailed

Google Chrome icon on a computer screen

BleepingComputer reports that Google has been working on curbing browser cookie theft with the new Device Bound Session Credentials functionality in Chrome as it prepares to remove third-party cookies from the browser.

Such a feature, which could be used by activating the "enable-bound-session-credentials" flag, would allow the binding of authentication sessions to device-generated public/private key pairs, a technique which could significantly reduce cookie theft malware success, according to Google Chrome Counter Abuse Team Software Engineer Kristian Monsen.

"Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices," said Monsen.

Monsen added that the feature will eventually be added to Google Workspace and Google Cloud for increased security.

Such a development follows claims by operators of the Rhadamanthys and Lumma information-stealing malware strains alleging expired Google authentication cookie restoration capabilities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.