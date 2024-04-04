



If you're one of Chrome's more than 1 billion desktop users, malicious threats to your personal data and login credentials exist, and they're only getting worse. Google has plans to fix this issue, but until then you're warned to be aware of the risks…

New Chrome update masks major warning for Windows users

Cookies get a bad rap. These devilish little tracking files on your PC have a nasty habit of tracking you around the internet and reporting your activities. Google's long-delayed killing of these third-party trackers is currently underway and has been a long time coming.

However, these tracking cookies include useful first-party cookies that recognize your device as yours and provide an authorized shortcut to log you back into your account or website. Otherwise, you'll spend all day logging in.

All very good, unless of course it's stolen.

Google has warned that many users across the web are falling victim to cookie-stealing malware, giving attackers access to their web accounts. Malware-as-a-Service (MaaS) operators frequently use social engineering to spread their cookie-stealing malware.

Google's warning comes as part of a proposed update to its Chrome desktop browser to address the issue, and while cookies are fundamental to the modern web, their powerful utility has made them useful to attackers. He admits that he is also a lucrative target.

This is primarily a desktop challenge, and Google's sensible answer is to bind such cookies to the user's device, rendering them useless if stolen unless the original device itself is accessible . We were prototyping a new web feature called Device Bound Session Credentials (DBSC) that would help keep users more secure against cookie theft… DBSC is the ability to bind an authenticated session to a device. It aims to disrupt the cookie theft industry by ensuring that these cookies are no longer leaked and have any value.

Set aside Google's new beta update for now and take it as a warning to be aware of the risks and keep them in mind, especially when logging into financial sites or the enterprise systems of the company you work for. please.

In a 2023 report, SpyCloud announced that it had reacquired 1.87 billion malware cookie records…which allows cybercriminals to impersonate legitimate users to infiltrate organizations and access active web It gives you access to your session and allows you to effectively bypass security best practices such as multi-factor authentication (MFA).

Eventually, a Google update may be the answer, but until then, cookie theft continues to rise, so desktop users in particular should be wary of the range of sites that circumvent any form of new identity protection. need to do it.

While this type of attack is not new, the value of pre-saved logins is now amplified as password management and multi-factor authentication have become much more secure, making cold logins much more secure. Google explains that such cookie theft occurs after login, bypassing two-factor authentication and other reputation checks at login… Chrome and other browsers have the same level of access as the browser itself. cannot protect your browser from malware that has the right to do so.

This is still in the phase, and early play will require users to go inside Chrome and change some settings. For others, this will unfold over time. This significantly reduces the success rate of cookie-stealing malware, he said. Attackers are forced to act locally on the device, making on-device detection and cleanup more effective.

Naturally, Google wants to build on privacy this time around, but the ink is still not dry on the painstaking settlement to Incognito mode, which in some ways was anything but. In a third-party context, DBSC has the same availability and/or segmentation as third-party cookies, as set by user preferences and other factors. This is to ensure that DBSC does not become a new tracking vector after third-party cookies are phased out, while ensuring that such cookies are fully protected in the meantime. If a user opts out of her cookies, third-party cookies, or her cookies for a particular site completely, her DBSC will be disabled in these scenarios as well.

This new approach is novel and appears to circumvent some advanced cookie stealing approaches, such as replacing or resetting expired cookies. It also aligns with the Trusted Devices best practices approach that is currently driving significant enhancements across the Android and iOS mobile ecosystems.

Google isn't alone in tackling this problem. Bleeping Computer reported in February about PayPal's plans in the same space, which are also in development.

Google's approach to bringing user-friendly identity assurance behind the scenes to Windows is very welcome. It will also further fragment the future of cookies from their disgusting past. Meanwhile, the death of those pesky tracking cookies won't come soon enough…

