- Google is working on Device Bound Session Credentials (DBSC) for Chrome that will put a stop to session hijacking attacks.
- Also known as cookie theft, this allows attackers to gain access to your online accounts, bypassing even 2FA.
- You can turn on DBSC on Chrome by enabling a Chrome flag.
A year ago, the YouTube account of Linus Tech Tips was hacked. Despite a round-the-clock investigation by the YouTube team, the hackers kept streaming crypto scams on the YouTube channel. Later, it was discovered that attackers could access all of LTT’s YouTube channel and it was possible because of cookie theft aka session hijacking.
An employee launched an attachment received via email, which seemed like a PDF file, but it was a malware-ridden executable. The malware ran on the system, decrypted the cookie database, and sent the session token to the attacker.
With session hijacking, an attacker can access any of your signed-in accounts stored in the browser, not just YouTube, even circumventing 2FA or multi-factor authentication.
Google has itself documented such cookie theft malware that targeted YouTube creators. Not just YouTube creators, this can happen to anyone. A case closer to home: my brother’s Twitter account was recently hacked using the same cookie theft technique.
Now to put a stop on cookie theft, Google has come up with a novel solution called Device Bound Session Credentials (DBSC). It basically binds the authentication session to the device, making it nearly impossible to use the stolen token on another device by an attacker.
For this, Google is using TPM (Trusted Platform Modules) to store the private keys securely on the device. So even if the attacker gets access to the stolen cookie, it won’t be of any value because it can’t be used to authenticate on another device.
Google is already prototyping DBSC and it’s available on the stable channel of Google Chrome version 123.0.6312.123 or later. You will have to enable a flag to turn on DBSC. Here’s how to do it.
How to Enable DBSC on Google Chrome
- Launch
chrome://flagsin your Chrome browser. - Search for “Device Bound Session Credentials” and enable it. You can also copy and paste the below address directly into the browser.
chrome://flags/#enable-bound-session-credentials
- Now, simply restart your browser and you are done. You won’t see any change in how you interact with your online accounts.
So this is how you can enable DBSC in Chrome and protect your online accounts from cookie theft. A word of caution, do not download PDFs, attachments, and executables from untrustworthy websites and via unsuspecting emails. Most importantly, do not run them immediately on your PC. You can use VirusTotal (visit) to do a safety check first or use a good antivirus to scan the file.
Anyway, that is all from us. If you want to enhance your Chrome security, you can go through our linked tutorial. And if you have any questions, let us know in the comment section below.
