Introduction
You have surely heard of cookies, not the ones you eat but the browser and session cookies. They are like a small local memory for the website on your computer’s web browser; it stores the information, like your preferences, if you were logged in or not, the session and the credentials in a file on your computer so that when you visit the website again, it fetches the file and sets everything as per what was saved in the cookies.
How does a cookie work
Now, you know, if you have logged in, say, to your Google account on your computer, say, in Google Chrome, you don’t have to log in again and again or use the multi-factor authentication to re-login; it just remembers it from the cookie it saved and uses it to log you in automatically. On one hand, it reduces friction and makes your experience as a user really good, but on the other hand, the bad actors like to use it to their own advantage for not-so-good purposes.
They do what is called session stealing and cookie stealing. Here, the hacker will try to steal the session cookies and hijack the session, as once the hacker/sleater has the session cookie, then they can use it on their own machine and access your account and session bypassign the login as well as multi factor authenticaion ( 2 factor authentication, etc.).
It becomes a security and privacy concern on several levels. One of the classic examples of this is hijacking a YouTube channel. The stealer will steal the session cookie of the Google account used to run the YouTube channel and then access the channel and use it for bad purposes, like scamming people, etc.
What did chromium do about it
To prevent this, Chromium is testing what is called device-specific credentials. This makes the credentials tied with the device, specifically the TMP Module on the motherboard, so this is now hardware-level security, and in this case, if the steller manages to steal the cookies, they cannot use it on their machine. It will only work on your machine with the TPM module on the motherboard which holds the keys.
Now, this is much needed and will surely reduce the session stealing and hijacking as well as make it difficult. This new piece of tech is called Device Bound Sessions.
You can read about it more on the Chromium blog here.
You can read more about YouTube channel hijacking here on the Google Blog. It is called cookie theft malware; if you read the blog post there.
As of now, this is in beta on the latest beta versions of Chrome, Edge and Chromium.
Read the Nothing Phone 3a review here.
If you want to enable it in the latest Chromium-based browsers in beta: chrome://flags/ and search for device-bound credentials, although I will not recommend turning it on for now. It might soon become a standard for the web.
You can also read this if you want to know what W3C is planning: Here.
Thanks for reading.
One thought on “Say Goodbye to Hijacking with Chromium’s New Credentials”