Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Home/CyberSecurity News/Google Chrome Gets Device-Bound Sessions to Prevent Cookie Theft
CyberSecurity News

Google Chrome Gets Device-Bound Sessions to Prevent Cookie Theft

Key Takeaways Google has rolled out Device Bound Session Credentials (DBSC) for Chrome on Windows, with a macOS release planned. DBSC significantly enhances security by linking authentication...

Marcus Rodriguez
Marcus Rodriguez
April 11, 2026 3 Min Read
29 0

Key Takeaways

  • Google has rolled out Device Bound Session Credentials (DBSC) for Chrome on Windows, with a macOS release planned.
  • DBSC significantly enhances security by linking authentication sessions directly to a user’s physical device hardware, such as a TPM.
  • This new protocol aims to prevent session hijacking and cookie theft, a common method for attackers to compromise accounts.
  • It offers a proactive defense against infostealer malware, making stolen session cookies useless without the associated hardware key.

Google Chrome Fortifies Against Cookie Theft with Hardware-Bound Sessions

Google has initiated the public deployment of Device Bound Session Credentials (DBSC) for Windows users running Chrome 146. This significant security enhancement, announced by the Google Account Security and Chrome teams, is designed to eradicate session hijacking, a pervasive technique employed by threat actors to compromise user accounts.

Table Of Content

  • Key Takeaways
  • Google Chrome Fortifies Against Cookie Theft with Hardware-Bound Sessions
  • Addressing the Persistent Threat of Cookie Exfiltration
  • What You Should Do

The DBSC feature is slated for future expansion to macOS, representing a pivotal shift within the industry from reactive threat detection to a proactive, preventative security posture.

Addressing the Persistent Threat of Cookie Exfiltration

Session theft commonly occurs when users inadvertently download information-stealing malware, such as variants from the LummaC2 family. Once established on a system, this malicious software actively searches for existing session cookies stored within the browser’s local files.

Given that authentication cookies frequently maintain validity for extended periods, attackers can leverage stolen cookies to bypass traditional password authentication entirely. Historically, preventing malware from accessing browser memory through software-only solutions proved nearly impossible, compelling security teams to depend on complex detection mechanisms after a breach had already transpired.

An overview of the DBSC protocol showing the interaction between the browser and server (Source: Blogger)
An overview of the DBSC protocol showing the interaction between the browser and server (Source: Blogger)

DBSC introduces a fundamental change to web security by inextricably linking an authentication session to a user’s specific physical device. The protocol leverages hardware-backed security modules, such as the Trusted Platform Module (TPM) found in Windows machines or the Secure Enclave present in Apple devices.

When a user logs in, the hardware generates a unique public-private key pair. Critically, the private key can never be exported from the device. Websites that upgrade their backend infrastructure to support DBSC issue short-lived cookies, requiring Chrome to continuously prove possession of the private key to refresh these credentials.

Should an attacker manage to steal the session cookies, these credentials quickly expire and become useless because the attacker lacks access to the victim’s physical hardware key. Web developers can integrate this functionality seamlessly, as the browser manages the intricate cryptographic processes in the background.

Despite its robust device-binding capabilities, DBSC was engineered with stringent privacy controls. The protocol utilizes a completely distinct key for each individual session. This design ensures that websites cannot exploit the technology to track users across different sites or correlate their browsing activities. Furthermore, DBSC only shares the minimal data necessary to prove possession, preventing its misuse for device fingerprinting.

Google developed DBSC as an open web standard in collaboration with the W3C Web Application Security Working Group, engaging closely with Microsoft and conducting trials on platforms such as Okta. Moving forward, Google intends to expand DBSC’s capabilities to secure federated identity and Single Sign-On (SSO) environments for enterprise clients.

The team is also actively developing advanced registration options to bind sessions to existing hardware security keys and exploring software-based key support to protect devices that lack dedicated physical security hardware.

What You Should Do

  • Ensure your Chrome browser is updated to version 146 or later on Windows to benefit from DBSC.
  • Encourage website administrators and developers to implement DBSC support on their platforms to enhance user security.
  • Continue to practice good cybersecurity hygiene, including using strong, unique passwords and being wary of suspicious links or downloads.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachHackerMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Ransomware Gangs Use EDR Killers to Disable Security Products, ESET Warns

Next Post

Gmail End-to-End Encryption Now Available on Android and iOS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us