Google Chrome Device Bound Session Credentials (DBSC) Mitigates Cookie Theft

Google has introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to combat session cookie theft, with a macOS version planned for a future release. This feature, initially announced in April 2024, aims to protect user accounts from compromise by rendering stolen authentication cookies useless. Session cookies are often stolen using information-stealing malware and traded on cybercrime platforms, allowing attackers to access accounts without passwords. DBSC mitigates this threat by cryptographically binding authentication sessions to the user’s device, leveraging hardware-backed security modules to generate unique public/private key pairs. This ensures that even if cookies are exfiltrated, they quickly expire and become unusable, enhancing overall security for Chrome users. Websites can adopt DBSC via registration and refresh endpoints.

Attack Chain

1. The attacker deploys information-stealing malware on a victim’s Windows or macOS system.
2. The malware gains access to the browser’s local files and memory, where authentication cookies are stored.
3. The malware exfiltrates the stolen session cookies to a command-and-control server.
4. The attacker attempts to use the stolen session cookies to access the victim’s accounts on various web platforms.
5. If DBSC is not implemented, the attacker successfully gains unauthorized access to the user’s accounts.
6. If DBSC is implemented, Chrome checks for device-bound credentials.
7. The web server requires proof of possession of the private key associated with the session. Since the attacker lacks this key, the exfiltrated cookies are useless.
8. The attacker’s attempt to access the account is blocked, preventing unauthorized access.

Impact

The successful exploitation of stolen session cookies can lead to unauthorized access to user accounts across various platforms, potentially resulting in data breaches, financial loss, and reputational damage. While the article does not cite specific victim counts or sectors affected, the widespread use of Chrome and the prevalence of cookie-stealing malware makes this a significant threat. The implementation of DBSC aims to significantly reduce the risk of account compromise via stolen cookies.

Recommendation

• Detection engineers should familiarize themselves with the concept and deployment of Device Bound Session Credentials (DBSC) to understand its impact on existing detection strategies.
• Monitor for the presence of information-stealing malware that targets browser cookie storage locations using file_event and process_creation log sources.
• Consider deploying the Sigma rule to detect anomalous processes accessing browser cookie storage locations to identify potential cookie theft attempts.