10.04.2026
3 min
143
Google has begun rolling out a new security feature called Device Bound Session Credentials in Chrome for Windows, which should reduce the risk of session hijacking and unauthorized access to accounts.
Google has made its latest security offering, Device Bound Session Credentials in Chrome, available to all Windows users. Although this has been in an open beta testing phase for many months, it is now generally available.
At present the functionality of DBSC works within Chrome version 146 (Windows). It will at some point in the future have a functional equivalent on Mac OS as well. In fact, according to Google’s comments about the features and limitations of the feature, this is exactly what they view as a way to address one of the biggest issues in modern cybercrime; session stealing.
“This is an important step forward,” stated the Chrome and Google Account Security teams. “Session theft is still a major issue today.”
In general, these types of attacks occur when session cookies are taken by attackers from the user’s browser, and then those session cookies are used to log into accounts without the need for passwords. There are two main methods by which session cookies can be taken from a user: through direct theft from a compromised computer/device while logged in to the account or when a malicious program waits until the legitimate user logs back into their account to take control.
Many times these types of situations involve information-stealing malware. Some examples include:
Atomic
Lumma
Vidar Stealer
All three applications collect as much data as possible about the target victim, including cookies, browser history, etc…
However, there is another factor that affects how useful session cookies can be to an attacker. These session cookies may remain valid for quite a period of time after they were created. As a result, they can potentially provide an attacker with continued access to a targeted account even though he/she never had access to the account’s password. Once session cookies are collected by an attacker, they typically package them up and sell them to other cyber criminals who then attempt to use the stolen session cookies in order to gain unauthorized access to a variety of systems.
Device-bound Session Cookies changes this model. DBSC uses encryption and binds a session cookie to a particular piece of hardware. So regardless of where the cookie goes after being stolen, it is useless unless it has access to the same physical hardware device it was bound to originally.
Hardware-based security components are utilized for this capability. Examples include:
TPM (Trusted Platform Module) in Windows
Secure Enclave in Mac OS X
Both of these components generate a unique key pair that cannot be removed from the physical hardware device.
“Each new short term session cookie is issued based upon whether chrome determines possession of the corresponding private key,” states Google.
Because attackers cannot get access to the key pair, no matter how they try to utilize a stolen session cookie, the cookie will eventually cease to function. If however, a device does not support secure key storage, then chrome will simply behave like before, and do nothing to disrupt the normal flow of login processes.
Also noted by google is that they are starting to see the positive effects of implementing DBSC. They have seen a reduction in session-hijacking attempts since DBSC started being implemented.
Additionally, Google mentions that they plan to extend support for DBSC to additional devices and implement additional features for corporate use. Also mentioned is that DBSC creates no new privacy risks. Sites utilizing DBSC cannot identify you across multiple sessions or services because the protocol does not send your device identifier(s), or any other identifying data outside of your public key which is needed for authentication purposes.
“The protocol does not transmits [sic] device identifiers or other identifying data except for the public key required for verification,” says Google.
Thus, DBSC provides protection for sessions without providing any mechanisms for cross-session tracking or digital fingerprinting of your device. Therefore, Google is making it more difficult for attackers to successfully hijack cookies. This represents one of the first real-world implementations that complicate the work of infostealers.
