Google has officially introduced Device-Bound Session Credentials (DBSC) for Windows users of its Chrome browser, following thorough testing in open beta. This feature aims to combat the persistent threat of session theft, a method where attackers steal session cookies to gain unauthorized access to online accounts. These cookies, often harvested by malware such as Atomic, Lumma, and Vidar Stealer, can be sold to other cybercriminals, enabling further attacks. DBSC seeks to neutralize this risk by cryptographically linking authentication sessions to specific devices. By utilizing hardware-backed security modules like the Trusted Platform Module on Windows, DBSC generates a unique key pair that remains secure within the device. This ensures that even if cookies are stolen, they quickly become unusable, as attackers cannot replicate the key. Google has reported a significant drop in session theft incidents since the introduction of this feature, underscoring its effectiveness. Although currently available only for Windows in Chrome 146, plans are in place to expand DBSC to macOS and other devices. Google, alongside Microsoft, has designed DBSC to be a private-by-design architecture, ensuring that session credentials do not facilitate cross-site tracking or device fingerprinting. This launch marks the beginning of broader integration efforts to enhance enterprise security environments.
Google Enhances Chrome Security with Device-Bound Session Credentials
Device-Bound Session Credentials (DBSC) became generally available for Chrome on Windows to prevent session hijacking. Update Chrome.


