Google Rolls Out Cookie Theft Protections in Chrome

Summary

Google has launched Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, with macOS support coming soon. DBSC cryptographically binds authentication sessions to users' devices using hardware-backed security modules, rendering stolen cookies useless even if exfiltrated by malware. The open web standard, co-designed with Microsoft and tested by platforms like Okta, significantly reduces session hijacking risk while preventing cross-site tracking.

Full text

Google has announced the rollout of new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies. The feature, called Device Bound Session Credentials (DBSC), was announced in April 2024 and has become available in Chrome 146 for Windows. macOS users will receive it as well, in a future browser release. DBSC fights session cookie theft by cryptographically binding authentication sessions to the user’s device, thus rendering stolen cookies useless. Typically stolen using information-stealing malware and often shared or sold on cybercrime platforms, these tokens may provide attackers with access to users’ accounts without a password. “Once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system,” Google notes. DBSC relies on hardware-backed security modules to generate a unique public/private key pair, and Chrome issues new short-lived session cookies to prove it possesses the private key to the server.Advertisement. Scroll to continue reading. “Because attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless to those attackers,” Google explains. Websites can adopt the protection through dedicated registration and refresh endpoints, and the browser handles the cryptography and cookie rotation, so that all web apps can continue to use standard cookies for access. According to Google, an early version of the protocol that was rolled out last year has demonstrated a significant reduction in session theft when DBSC was enabled. Because each browser session is backed by a different key, websites cannot use them to track users across sessions or sites. Furthermore, the device does not share identifiers or attestation data with the server to prevent fingerprinting and cross-site tracking. According to Google, DBSC was built as an open web standard through the W3C process, and Microsoft helped design it. Okta and other web platforms have tested DBSC, and implementation details have been included in a guide for web developers. Google is also working to secure federated identity by expanding DBSC to support cross-origin bindings, implementing advanced registration capabilities to tie DBSC sessions to pre-existing trusted key material, and potentially adding software-based keys to make protection available on devices that lack dedicated secure hardware. Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome Related: Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Related: Sophisticated CrystalX RAT Emerges Related: Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 300,000 People Impacted by Eurail Data BreachRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data Latest News Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet UsersApple Intelligence AI Guardrails Bypassed in New AttackCan We Trust AI? No – But Eventually We MustGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized AccessPalo Alto Networks, SonicWall Patch High-Severity VulnerabilitiesThe Hidden ROI of Visibility: Better Decisions, Better Behavior, Better SecurityGoogle Warns of New Campaign Targeting BPOs to Steal Corporate DataAdobe Reader Zero-Day Exploited for Months: Researcher Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveFinite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.John Clancy has become Chief Executive Officer at Bitsight.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Entities