- Google adds device-bound session credentials to Chrome
- DBSC links session cookies to hardware keys, blocking theft
- Feature available on Windows, macOS release coming soon
Google has released a new Chrome browser feature that should make the theft of session cookies for use in data-stealing malware attacks a thing of the past.
Chrome 146 for Windows has introduced a new security feature called Device-Bound Session Credentials (DBSC), which works by cryptographically binding authentication sessions to the physical device used for authentication.
It does this through hardware-backed security modules (such as the Trusted Platform Module in Windows) to generate a unique public/private key pair that cannot be exported from the machine.
Article continues below.
Why are cookies important?
“Issuing new short-lived session cookies depends on Chrome proving possession of the private key corresponding to the server,” Google explained in its announcement. “Because attackers cannot steal this key, exfiltrated cookies quickly expire and become useless to those attackers.”
Google says the new feature will allow websites to upgrade to secure sessions by adding dedicated registration and refresh endpoints to their backend, while maintaining compatibility with the existing front-end.
Chrome will handle cryptography and cookie rotation, while the web app will continue to use standard cookies for login, as before. Right now, the search engine giant has only released an update for Windows, with the macOS variant set to launch in the coming weeks.
Google said a first version of this protocol was implemented in 2025, and noted that for DBSC-protected sessions, it saw a “significant reduction” in session theft.
Since multi-factor authentication (MFA) became the industry standard, browser session cookies have become extremely valuable. Since these cookies are generated after authentication, cybercriminals can effectively bypass this important authentication step and gain access to target accounts.
Hackers often steal these cookies by using data-stealing malware, tricking their targets into downloading Lumma, Vidar, StealC, AMOS, or any other variant capable of capturing not only session cookies, but also stored passwords, cryptocurrency wallet data, clipboard contents, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
