Google Implements Device Bound Session Credentials in Chrome to Prevent Session Hijacking Through Hardware Verification and Trusted Platform Modules
Google has implemented global DBSC testing to improve Chrome browser security protection. The browser vendor has reached a major milestone in its fight against session hijacking with the public release of Device Bound Session Credentials which marks the official launch of its Device Bound Session Credentials system. The security system now protects Windows users through Chrome 146, which introduces a new method for validating authentication tokens through hardware verification instead of traditional cookie based access.
The black market for session tokens has developed because information stealing malware including Vidar, Atomic, and Lumma variants has become so widespread. By using cookie scraping techniques, threat actors can access sensitive accounts without needing to enter passwords or complete multi factor authentication processes. Google’s Chrome and Account Security divisions declared through their upcoming security briefing that current security conditions require protection methods which keep credentials tied to their original machines to stop cookie theft through portable credential theft.
DBSC uses the Trusted Platform Module (TPM) on Windows devices to create cryptographic key pairs at its architectural design level. The browser session establishes a distinctive public/private key pair which remains locked inside the device’s hardware throughout its operational period. The server requires the client to authenticate their identity by using the private key which the client has stored within their hardware module instead of accepting their browser cookie. Every intercepted cookie becomes useless to attackers, because the private key remains in a physical state which cannot be moved outside the operational environment.
Google stated that its protocol protects user privacy through hardware identification because it does not allow for device fingerprinting or cross site tracking. The system operates with minimal resource requirements because it only sends the session public key which proves ownership of the system. Google has partnered with Microsoft to establish this as an open web standard for the industry which requires session theft to become an unprofitable venture for threat actors.
The company has announced that Secure Enclave support will come to macOS in a future update, while the current rollout only applies to Windows systems. The system establishes standard authentication protocols as its secondary method for devices which do not have hardware security modules to ensure that users can continue to experience the system while the system protects their privacy through its January 2023 'privacy by design' standard.
