- Google adds device-related session credentials to Chrome
- DBSC associates session cookies with hardware keys, blocking theft
- Feature live on Windows, macOS rollout coming soon
Google has rolled out a new Chrome browser feature that should make the theft of session cookies intended for infostealer malware attacks a thing of the past.
Chrome 146 for Windows introduced a new security feature called Device Bound Session Credentials (DBSC), which works by cryptographically binding authentication sessions to the physical device used for authentication.
It does this through hardware security modules (such as the Trusted Platform Module in Windows) to generate a unique public/private key pair that cannot be exported from the machine.
Article continues below
Why are cookies important?
“The issuance of new short-lived session cookies depends on Chrome proving possession of the corresponding private key of the server,” Google explained in its announcement. “As attackers cannot steal this key, any exfiltrated cookies expire quickly and become useless to these attackers.”
Google says the new feature will allow websites to move to secure sessions by adding dedicated save and refresh endpoints to their backend, while maintaining compatibility with the existing front end.
Chrome will handle cryptography and cookie rotation, while the web app will continue to use standard cookies for access as before. Currently, the search engine giant has only released an upgrade for Windows, with the macOS variant rolling out in the coming weeks.
A first version of this protocol was deployed in 2025, Google said, noting that for sessions protected by DBSC, it had observed a “significant reduction” in session theft.
Since multi-factor authentication (MFA) became the industry standard, browser session cookies have become extremely valuable. Since these cookies are generated after authentication, cybercriminals can effectively bypass this important authentication step and gain access to target accounts.
Hackers typically steal these cookies using information-stealing malware, tricking their targets into downloading Lumma, Vidar, StealC, AMOS, or any other variation, capable of recovering not only session cookies, but also stored passwords, cryptocurrency wallet data, clipboard contents, and more.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
