Introduction to Chrome Device Bound Session Credentials
Google has announced that the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users. This feature aims to prevent account takeovers by cryptographically binding session cookies to a specific device, making it difficult for hackers to use stolen cookies to bypass multi-factor authentication (MFA) and hijack users' accounts.
DBSC was first announced in 2024 and has been available in beta since April. It works by cryptographically linking user sessions to the hardware, such as the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS. The unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip, making it impossible for attackers to steal them and use stolen session cookies.
How DBSC Works
According to Google, DBSC "fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users' accounts." DBSC strengthens account security after users are logged in and helps bind a session cookie to the device a user authenticated from.
Even if malware is present on the user's device, DBSC reduces the risk of session theft and makes it more difficult for malicious actors to exploit stolen session cookies. Google has stated that DBSC will be enabled by default for all Google Workspace customers upon rollout, and administrators will not be able to disable it.
Impact on Malicious Actors
In the past, threat actors have abused the undocumented Google OAuth "MultiLogin" API endpoint to generate new authentication cookies after stolen ones expired. The Lumma and Rhadamanthys information-stealing malware operations have also claimed that they could restore expired Google authentication cookies stolen in attacks to gain access to infected users' Google accounts.
However, the new Chrome Device Bound Session Credentials (DBSC) security feature should effectively block malicious actors from abusing such stolen cookies, as they will not have access to the cryptographic keys required to use them. This feature is now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.
Conclusion
The introduction of Chrome Device Bound Session Credentials is a significant step forward in preventing account takeovers and protecting user accounts. By cryptographically binding session cookies to a specific device, DBSC makes it much more difficult for hackers to use stolen cookies to bypass MFA and hijack users' accounts.
As Google continues to roll out this feature to all users, it is likely to have a significant impact on the security of user accounts and the ability of malicious actors to exploit stolen session cookies. With DBSC, Google is proactively preventing session theft and making it more difficult for malicious actors to exploit stolen session cookies, providing an additional layer of security for users.
- DBSC is now generally available and rolling out to all users.
- DBSC cryptographically binds session cookies to a specific device.
- DBSC prevents hackers from using stolen cookies to bypass MFA and hijack users' accounts.
- DBSC is enabled by default for all Google Workspace customers upon rollout.
- Administrators cannot disable DBSC for Google Workspace customers.
Source: BleepingComputer