Google Chrome Tests New Feature To Stop Session Hijacking
Google Chrome Tests New Feature To Stop Session Hijacking
Some of you certainly remember that time when Linus Tech Tips of all channels on YouTube was hijacked out of nowhere, and it ended up being a big lesson for the organization (and everyone watching) about the threats of what is referred to as “session hijacking” or “cookie hijacking”.
In the age where strong passwords are often required, and 2FA is a common feature for most online services – session hijacking is a ridiculously simple mechanism that has caused many YouTube creators to lose access to their accounts, which will then be converted into an impersonated version of SpaceX, Tesla, crypto, or anything that relates to Elon Musk (for some reason).
It only takes one user in the organization to fall for a social engineering attempt – often involving downloading a strange “PDF” file that is, in reality, malware. The said malware will grab a copy of your PC’s browser cookies, which contain “session tokens” (think of it as virtual keycards), and allow the perpetrator to access the victim’s account without needing to know the user ID or the password. (You can read the explainer of how this works here.)
To solve this threat, Google is introducing a feature called Device Bound Session Credentials (DBSC), which essentially applies a form of encryption to the session token so that it only works on the original system that it was logged into. “By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value,” the company wrote in the blog post.
The company intends to make it an “open web standard”, which should greatly help in enhancing account security across the web. Right now, not all systems have the required hardware to support DBSC. The TPM chip found in all Windows 11 machines today is part of that requirement, and as PCMag points out, both Mac and Linux machines lack the chip by default. Google responded to the outlet, stating: “We’re aiming to bring the (DBSC) API to additional platforms, and will share an update when we have more details.”
Pokdepinion: This should be a big step in eradicating account hijack incidents commonly seen on YouTube.
