We need browser profile primary password logins to help prevent session hijacking

https://bit.ly/3K2fBeH

Seeing what happened this week to the Linus Tech Tips YouTube channel made me realise how well we have secured in transit data, password managers, etc (LastPass was also hacked via an end user session) but we appear to have the session data left wide open on our local machines.

I see that Firefox and Edge have profile logins, but mainly to protect the login passwords. Most Chromium based browsers do have profiles, but do not even appear to have any form of login attached to them.

Surely not just the logins can be protected, and we could have 1st party and session cookie access also protected behind a profile password? Whenever you start up your browser the first time, you are prompted for the profile primary password to unlock access to passwords, extension data, and cookies? In this way, if some bad (or good) actor stole your session data (the session data would be in use and unlocked), they’d still be prompted for a password before being able to actually use it on a freshly started browser elsewhere?

Maybe this is not the best way to do it, but clearly some improvement is needed to protect against this form of data hijacking.



source https://gadgeteer.co.za/we-need-browser-profile-primary-password-logins-to-help-prevent-session-hijacking/

Comments