Google Just Killed A Major Hacker Strategy

Added: 2026-05-05

[00:00:00]A long-awaited feature, well, long-awaited  by me at least, in Google Chrome and other Chromium-based browsers is finally here. It's  more of a behind-the-scenes thing. It's called "device-bound session credentials", and if your  eyes haven't already glazed over at the technical speak, let me explain what it does and why it's  actually pretty cool. You might remember how, especially several years ago, there was a problem  with a lot of YouTube channels getting hijacked, and then they would stream like Tesla giveaways  and stuff like that. And a lot of times, this would bypass the two-factor authentication that  these YouTube channels would have set up, and this was because they actually installed malware on the  computer somehow that then stole the cookies in your browser so that they could transfer it to the  hacker, and then they were already logged in with those login cookie sessions. And then they didn't  even have to enter any two-factor authentication or password or anything. It was like they  transferred that logged-in state to another computer. But now with device-bound session  credentials, those cookies are encrypted and signed using the cryptographic key that's stored  in your physical TPM module on your computer, and that key does not ever leave the actual module. So  basically, it's a lot of technical stuff, I'm not going to get into it, but effectively, it means  that when the website makes a request to you in the browser, it says, "Okay, I'll do it as long as  you can prove that you're actually at the computer that you were when you initially contacted me  and set up this cookie." Or in other words, even if someone were to steal all the cookies from  your browser and put it on another computer, they would become useless, and so this should do away  with that specific type of hijacking of accounts called "pass the cookie" or "session hijacking".  Now of course, there are other things that hackers can do, and I'll get to that in a second. But I  will point out that there was previously a sort of bridge technology related to this that already has  existed called "app-bound session credentials", and this made it a little bit more difficult for  the hackers to steal the credentials. It basically made it so cookies and stuff were encrypted with  a key that was managed by the operating system, or in other words, you couldn't steal the cookies  unless that malware was able to trick the user into running it as an admin, which is harder than  just running it as a user. So it made it harder to steal, but they still were able to figure out  ways to trick the users. But with this, even if the user is tricked or whatever, then because that  hacker, even if they transfer everything over, they're not going to have that physical thing  to actually sign it and take advantage of those cookies. Now I will point out there's a couple  caveats. So the first thing is, this is not on every single website, the website has to set this  up. However, most of the big websites are probably going to implement it sooner than other sites. So  Google has it set up already. I'll show you how to check that it's working on Google in a second.  And obviously with YouTube accounts and Google accounts and stuff, that's a very important one  to protect. So it's good that that's already set up. And also the other thing is your computer has  to have a TPM module in it. Now this is one of the requirements for Windows 11. People got up in arms  about it, but if you're running Windows 11, you're going to have this, or even if you're on Windows  10, if you have a TPM module, you can do it. And this feature actually rolled out into Google  Chrome version 146, which is a couple versions ago. So you probably already even have this. And  this is with any Chromium based browsers, by the way. So also Edge, Vivaldi, Brave, anything else.  And the way that I figured out, you can actually check whether or not this is working on Google,  for example, where we know that they use it, is if you go into the Chrome dev tools, you can get to  that by pressing F12. If you go to the Network tab and then you just refresh the page, you can filter  for either the "app" or "account" end points that seems to show it. When you click on that request  in the tabs on the right at the top, you should see one called "device bound [sessions]". And  that means that that site is indeed using device bound session credentials. If you don't see  it show up for the app or accounts end point, you might have to log out and log back into your  Google account. I found that if you, for example, logged in before this feature was added, then it's  going to be using the old style of cookie. But if you log back in now, it should do it. There's  also a test demo server page that I found from the old documentation about it that still seems  to work. And that shows the same thing. You click submit or whatever, you don't even have to log  in, it just adds one of these credentials and then you can see it show up afterwards. Now,  like I touched on, even though this solves a major issue with credential stealing, it's not  a complete magic silver bullet or anything, because there are some things that hackers can  still do. For example, if they get the malware on your computer and run it, they might change their  strategy from stealer type programs, gathering everything and then sending it off and deleting  itself. They might have it persist and stick around and then they'll have persistent control.  And that way, if they're still on that computer, the malware is still running and starts up hidden  and stuff like that. Well, they can just send the commands right from your own computer because it's  still running and still on there. So that's one thing they might try. Or depending on their goal,  the malware could just do everything that it wants to do while it is there and that might involve  initiating the live stream, for example, on your YouTube account and it still does it locally from  your computer and then does all the commands there and then deletes itself after it has it all set  up. Now, of course, that means that they won't be able to keep you out, for example, for too long  if it's a one and done thing. Though like I said, they might have the malware purposefully stick  around and hide. But in either of those cases, at least the good news is that simply turning  off the computer or disconnecting the internet would ensure that those hackers would no longer  be able to control your account or at least using that session, though it's still important  to have two factor authentication and stuff, because like I said, if they steal your  login and you don't have that, well, they'll just use the password. And it's possible  if they add other two factor authentication or recovery methods while they do have access on your  computer, then they could use that remotely to make their own new session over there. Though I do  believe that Google now requires more checks and stuff to add things like that. So hopefully they  shouldn't be able to do that. But at least still, this is one less thing that hackers can do. But  you still got to be diligent. Of course, if they install malware on your computer, they can still  steal a whole bunch of stuff that you don't want them to have, but it's still better than nothing.  So I'd be curious if you guys think about this, do you remember those days when all sorts of  accounts were getting hacked, like Linus Tech Tips even? It was that same type of attack. And  hopefully that should be a thing of the past, at least in this specific type. So we could talk  about that all down in the comments. If you want to keep watching, here's my previous video where  I talked about when the feature was still in beta.

[00:06:39]I went a little bit more in technical detail  there. So you can click on that if you want.

[00:06:42]And of course, if you enjoy the video, if you give  it a thumbs up, that helps out in this day and age with the algorithm, especially. So thanks so much  for watching and I'll see you in that next video.