Google announced a new security update in the Chrome browser aimed at countering advanced attacks aimed at stealing cookies, which is the data that is used to keep users logged into websites.

This development comes at a time when session theft attacks are increasing, allowing hackers to bypass passwords and two-factor authentication by hijacking active login sessions.

An escalating threat
Security reports indicate that attackers use malware known as Infostealers to extract cookies from victims’ devices, then reuse them to log in to accounts without the need for a password.

This method has become particularly popular because it bypasses traditional security systems such as two-factor verification.

According to security experts, the danger of these attacks lies in the fact that cookies are created after logging in, which makes them a direct access key to the accounts, even if the attacker does not obtain the original password.

New solution
The new protection introduced by Google relies on a technology known as Device Bound Session Credentials, which cryptographically links the login session to the user’s device itself.

This means that stolen cookies become unusable on other devices.

The technology uses non-exportable encryption keys that are stored within components in modern devices, making it virtually impossible for attackers to reuse data outside of the original device.

How does it work?
When you sign in to a site, Chrome creates a device-specific encryption key pair. After that, new cookies are issued only after it is proven that the device has the correct key. If someone tries to use the stolen cookies on a different device, they are immediately rejected because they are not associated with the original key. This mechanism makes attacks that rely on session theft ineffective even if data theft from the device is successful.

Google has begun rolling out this feature in recent versions of Chrome on Windows, with plans to later expand it to other systems.

The company indicates that initial tests showed a decrease in attempts to hijack sessions among protected users.

This development comes as part of a series of increasing efforts by Google to enhance the security of the Chrome browser, in light of the escalation of attacks targeting sensitive data within browsers, especially with the increasing value of hacked accounts on digital black markets.

Experts believe that this step represents an important shift in the way digital identity is protected, as relying solely on passwords or two-factor verification is no longer sufficient, but linking the session to the device itself has become an essential element in modern protection.