Google has a new way to try and stop cookie theft leading to possible cyberattacks

Pls share this post


Listen to this article

Google wants to put an end to browser cookie theft by making today’s cookies practically worthless.

In an announcement on its Chromium blog, Google revealed it is working on a new model that binds user sessions to the actual devices, rather than the browser. That should give antivirus solutions and other endpoint protection tools a better fighting chance against hackers.

Lately, cookies have become a popular target for threat actors, as they grant access to various accounts, even with multi-factor authentication (MFA) enabled. They can be extracted with infostealing malware and, even if a subsequent antivirus scan removes it, will remain active and useful to the attackers.

READ ALSO  TSMC bounces back after Taiwan earthquake — top chipmaker says its production is already back up to speed, despite devastating quake

Substantial reduction

To tackle the problem, Google’s engineering team is working on something they call Device Bound Session Credentials (DBSC), a new web capability “that will help keep users more secure against cookie theft”. 

The project is being developed in the open at github.com/WICG/dbsc, Google said, adding that the goal is for the project to become an open web standard. 

BDSC will bind authentication sessions to the actual device, rendering cookies practically worthless. “We think this will substantially reduce the success rate of cookie theft malware,” Google said. Furthermore, for account theft to work in the new environment, the attackers would need to act locally, on the device, which will be somewhat more difficult due to antivirus and other protection tools. 

READ ALSO  Ivanti Pulse Secure was using decade-old Linux and outdated libraries — no wonder it was such a popular target for hackers

Finally, Google added that many server providers, identity providers, and browsers, said they were interested in the project, as well. “We are engaging with all interested parties to make sure we can present a standard that works for different kinds of websites in a privacy preserving way.”

Eliminating cookie theft would definitely improve the security standing of many organizations, but we’re fairly certain threat actors would again find a way to compromise user accounts.

More from TechRadar Pro

READ ALSO  WordPress websites are being hacked to hijack your browser — and then attack other sites

Source



Pls share this post
Previous articleWWE makes C4 Energy its first energy-drink partner, will sponsor WrestleMania 40 skycam
Next article
WWDC 2024: AI, iOS 18, and everything we’re expecting from Apple’s big show