- Google adds Device Bound Session Credentials to Chrome
- DBSC binds session cookies to hardware keys and blocks theft
- Feature live on Windows, macOS rollout coming soon
Google has rolled out a new Chrome browser feature that should make the theft of session cookies for use in infostealer malware attacks a thing of the past.
Chrome 146 for Windows introduced a new security feature called Device Bound Session Credentials (DBSC), which works by cryptographically binding authentication sessions to the physical device used to authenticate.
It does this through hardware-supported security modules (such as the Trusted Platform Module on Windows) to generate a unique public/private key pair that cannot be exported from the machine.
The article continues below
Why are cookies important?
“The issuance of new short-lived session cookies is conditional on Chrome proving possession of the corresponding private key to the server,” Google explained in its announcement. “Because attackers cannot steal this key, any exfiltrated cookies expire quickly and become useless to these attackers.”
Google says the new feature will allow websites to upgrade to secure sessions by adding dedicated registration and update endpoints to their backend while maintaining compatibility with the existing front-end.
Chrome will handle cryptography and cookie rotation, while the web app will continue to use default cookies for access, just like before. Right now, the search engine giant only released an upgrade for Windows, with the macOS variant launching in the coming weeks.
An early version of this protocol was rolled out in 2025, Google said, noting that for sessions protected by DBSC, it observed a “significant reduction” in session theft.
Ever since multi-factor authentication (MFA) became the industry standard, browser session cookies have become extremely valuable. Since these cookies are generated after authentication, cybercriminals can effectively bypass this important authentication step and gain access to target accounts.
Hackers usually steal these cookies by using info-stealing malware, tricking their targets into downloading Lumma, Vidar, StealC, AMOS, or any other variant capable of capturing not only session cookies, but also stored passwords, cryptocurrency wallet data, clipboard contents, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
