Google is working on a new security feature for Chrome called Device Bound Session Credentials (DBSC), meant to prevent attackers from using stolen session cookies to gain access user accounts. Session (i.e., authentication) cookies are stored by browsers when a user logs into web resources. Getting ahold of them allows attackers to mount “pass-the-cookie” attacks by injecting stolen access tokens into new web sessions and thus “impersonating” the original user without having to authenticate themselves. … More
The post How Google plans to make stolen session cookies worthless for attackers appeared first on Help Net Security.