Seeing what happened this week to the Linus Tech Tips YouTube channel made me realise how well we have secured in transit data, password managers, etc (LastPass was also hacked via an end user session) but we appear to have the session data left wide open on our local machines.
I see that Firefox and Edge have profile logins, but mainly to protect the login passwords. Most Chromium based browsers do have profiles, but do not even appear to have any form of login attached to them. Once you’ve logged into your computer, it has decrypted and unlocked everything on your drives (so they can be copied).
Surely not just the logins can be protected, and we could have 1st party and session cookie access also protected behind a profile password? Whenever you start up your browser the first time, you are prompted for the profile primary password to unlock access to passwords, extension data, and cookies? In this way, if some bad (or good) actor stole your session data (the session data would be in use and unlocked), they’d still be prompted for a password before being able to actually use it on a freshly started browser elsewhere?
Maybe this is not the best way to do it, but clearly some improvement is needed to protect against this form of data hijacking.
My interim plan has been to delete all saved passwords in my browsers, and I’ve set my Bitwarden password manager to request a password every time the browser is opened. This means if anyone does copy the browser session data, the moment they open my browser session on their computer, it will require a password to unlock my passwords in Bitwarden.