RSS

Google Chrome adds session cookie theft protection for all users

deadbolt1 pts0 comments

Google Chrome adds session cookie theft protection for all users

Home<br>News<br>Security<br>Google Chrome adds session cookie theft protection for all users

Google Chrome adds session cookie theft protection for all users

By Sergiu Gatlan

May 29, 2026

08:08 AM

Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers.

Available in beta since April, DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device, preventing hackers from using such stolen cookies to bypass multi-factor authentication (MFA) and hijack users' accounts.

DBSC works by cryptographically linking user sessions to the hardware, such as their computer's security chip (e.g., the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS).

Since the unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen, preventing attackers from using stolen session cookies.

"DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users' accounts," Google said in April.

"DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user's device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies," it added this week.

How DBSC works (Google)

​The feature is now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.

Google added that it will be enabled by default for all Google Workspace customers upon rollout and that administrators cannot disable it.

In the past, threat actors have abused the undocumented Google OAuth "MultiLogin" API endpoint to generate new authentication cookies after stolen ones expired.

The Lumma and Rhadamanthys information-stealing malware operations have also claimed that they could restore expired Google authentication cookies stolen in attacks to gain access to infected users' Google accounts.

At the time, Google advised customers to remove malware from their devices and recommended enabling Chrome's Enhanced Safe Browsing security mode to defend against phishing and malware attacks.

However, the new Chrome Device Bound Session Credentials (DBSC) security feature should effectively block malicious actors from abusing such stolen cookies, as they will not have access to the cryptographic keys required to use them.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Google Chrome adds infostealer protection against session cookie theft<br>Google fixes fourth Chrome zero-day exploited in attacks in 2026<br>Google now offers up to $1.5 million for some Android exploits<br>ChatGPT share links abused to host fake outage pages to deliver malware<br>US charges Google security engineer with Polymarket insider trading

Cookie

Cookies

DBSC

Device Bound Session Credentials

Google

Google Chrome

Infostealer

Web Browser

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Charter confirms data breach after ShinyHunters extortion threat

Microsoft Defender can now automatically isolate hacked endpoints

Windows 11 KB5089573 update released with performance improvements

Sponsor Posts

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

AI is a data-breach time bomb: Read the new report

Upcoming Webinar

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is...

google session chrome users security dbsc

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.