Google to fight cookie hijacking with encryption keys for Chrome browser

Google is working on a new system to protect user accounts. The company will encrypt users’ cookies, and the encryption key will be stored on their devices, PCMag reports.

Stealing a password is not the only way an attacker can gain access to an account. Malware can also steal browser cookies to hijack login sessions. Now, Google is trying to prevent this threat with a new prototype feature for the Chrome browser.

The system is called Device Bound Session Credentials and will use encryption to prevent hackers from obtaining account login credentials through cookie theft. The goal of the project is to make it an open web standard.

Internet cookies are essentially text files that a browser uses to remember settings on a website, including authentication and keeping a login session active. The problem is that cookies can be easily stolen if malware has already compromised the victim’s computer.

“Cookie theft like this happens after login, so it bypasses two-factor authentication and any other login-time reputation checks,” said Google software engineer Kristian Monsen in a blog post. “It’s also difficult to mitigate via antivirus software since the stolen cookies continue to work even after the malware is detected and removed.”

In response to this, Google is working to tie authentication cookies to the user’s computer. To do this, the company wants to encrypt cookies and store the decryption key on the same device.

To protect the encryption keys, Google will store them in the TPM chip of a Windows computer, which is specially designed to store cryptographic keys and confirm the integrity of operating systems. The same chip has also become a requirement to run Windows 11.

The website will be able to validate the authentication cookie by using the API to verify the legitimacy of the encryption key for the login session.

The company plans to develop the so-called DBSC system openly on GitHub as a public project. And it has already launched a DBSC prototype as an experiment to protect some Google account users using the beta version of Chrome.