Summaries
Chrome Device Bound Session Credentials — Cookie Theft Prevention Goes GA
Google Chrome's Device Bound Session Credentials (DBSC) are now generally available, cryptographically binding session cookies to device hardware to prevent infostealer-based account takeovers.
View on Graph
Summary
Google has announced general availability of Chrome Device Bound Session Credentials (DBSC), a security feature that fundamentally changes how session cookies are protected. First announced in 2024 and available in beta since April 2026, DBSC cryptographically binds user sessions to specific device hardware — the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS.
The feature works by generating unique public/private key pairs inside the device’s security chip. When a user authenticates to a supporting website, the session is bound to these hardware-generated keys. Even if an infostealer like Lumma or Rhadamanthys succeeds in exfiltrating the session cookie, the attacker cannot replay it from a different device because the cryptographic key material never leaves the security chip.
DBSC is rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts. It will be enabled by default and administrators cannot disable it. This represents Google’s shift from reactive detection — detecting stolen cookie use after the fact — to proactive prevention: making stolen cookies functionally worthless.
The rollout comes after years of infostealer operations specifically targeting Google authentication cookies. Threat actors have abused the undocumented Google OAuth “MultiLogin” API endpoint to regenerate cookies after initial theft, and malware families like Lumma have claimed the ability to restore expired stolen cookies. DBSC addresses the root cause by making the cryptographic binding a prerequisite for session validity.
Why It Matters
Session cookie theft has become one of the most effective bypasses for MFA-protected accounts. Infostealers routinely target browser credential stores, and stolen cookies allow attackers to access accounts without triggering any authentication challenge. DBSC closes this vector at the architectural level — even a fully compromised device cannot provide reusable stolen credentials because the cryptographic key never leaves the hardware security module. For analysts responding to infostealer infections, DBSC means one less path to worry about for post-infection account takeover.
Defender Takeaways
- Understand that DBSC protects against cookie replay, not against initial cookie theft — infostealers on the same device during an active session are still a threat.
- Review your organization’s Google Workspace tenant to confirm DBSC rollout status; it is enabled by default and cannot be disabled.
- Monitor for new session cookie theft techniques that attempt to bypass hardware binding — attackers will adapt.
- Consider DBSC as a complement to, not a replacement for, device hygiene and EDR — infostealers on an active session can still exfiltrate data before cookies expire.
- Watch for other major platforms to adopt similar hardware-bound session approaches.
Source
Title: Google Chrome adds session cookie theft protection for all users — BleepingComputer
URL: https://www.bleepingcomputer.com/news/security/google-chrome-adds-session-cookie-theft-protection-for-all-users/
Related
- Credential Theft Response — detection and response for T1558.001, T1003.001, T1134 techniques
- Cloud Threats — detection and response for T1525, T1552, T1613 techniques