Google Chrome adds session cookie theft protection for all users
Google Chrome has introduced the Device Bound Session Credentials (DBSC) security feature, now generally available and rolling out to all users. DBSC cryptographically binds session cookies to a specific device using hardware security modules like TPM on Windows or Secure Enclave on macOS. This prevents attackers from using stolen session cookies to bypass multi-factor authentication and hijack accounts. The feature is enabled by default for Google Workspace customers and cannot be disabled by administrators. DBSC aims to proactively prevent session cookie theft exploitation rather than relying on reactive detection. It addresses previous attack methods where stolen or expired cookies were reused to gain unauthorized access. The rollout includes personal Google accounts and Workspace Individual subscribers. No known exploits are reported in the wild at this time.
AI Analysis
Technical Summary
The Chrome Device Bound Session Credentials (DBSC) feature cryptographically links user session cookies to the hardware security module of the device where the user authenticated, such as TPM or Secure Enclave. This binding ensures that even if session cookies are stolen, attackers cannot use them without access to the device's cryptographic keys, effectively preventing session cookie theft-based account takeovers. DBSC shifts the security model from reactive detection to proactive prevention and is enabled by default for all Google Workspace customers and rolling out to all users. This feature mitigates abuse of stolen or expired Google authentication cookies previously exploited by malware and threat actors. It is designed to strengthen account security post-login and reduce risks from malware presence on user devices.
Potential Impact
The impact of DBSC is a reduction in the risk of account takeovers via stolen session cookies, which have historically been abused to bypass multi-factor authentication and hijack user accounts. By cryptographically binding session cookies to a device's hardware security module, attackers cannot reuse stolen cookies on other devices. This mitigates threats from malware and information-stealing operations that restore or reuse expired authentication cookies. No known exploits are currently reported in the wild, indicating the feature is effective at preventing this attack vector.
Mitigation Recommendations
DBSC is enabled by default for all Google Workspace customers and rolling out to personal Google accounts and Workspace Individual subscribers. Administrators cannot disable this feature. Users and organizations should ensure they are running updated versions of Google Chrome to benefit from this protection. No additional user action is required to enable DBSC. Google recommends continuing to remove malware from devices and using Chrome's Enhanced Safe Browsing mode for broader phishing and malware protection. Patch status is not applicable as this is a new security feature rollout rather than a vulnerability patch.
Google Chrome adds session cookie theft protection for all users
Description
Google Chrome has introduced the Device Bound Session Credentials (DBSC) security feature, now generally available and rolling out to all users. DBSC cryptographically binds session cookies to a specific device using hardware security modules like TPM on Windows or Secure Enclave on macOS. This prevents attackers from using stolen session cookies to bypass multi-factor authentication and hijack accounts. The feature is enabled by default for Google Workspace customers and cannot be disabled by administrators. DBSC aims to proactively prevent session cookie theft exploitation rather than relying on reactive detection. It addresses previous attack methods where stolen or expired cookies were reused to gain unauthorized access. The rollout includes personal Google accounts and Workspace Individual subscribers. No known exploits are reported in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Chrome Device Bound Session Credentials (DBSC) feature cryptographically links user session cookies to the hardware security module of the device where the user authenticated, such as TPM or Secure Enclave. This binding ensures that even if session cookies are stolen, attackers cannot use them without access to the device's cryptographic keys, effectively preventing session cookie theft-based account takeovers. DBSC shifts the security model from reactive detection to proactive prevention and is enabled by default for all Google Workspace customers and rolling out to all users. This feature mitigates abuse of stolen or expired Google authentication cookies previously exploited by malware and threat actors. It is designed to strengthen account security post-login and reduce risks from malware presence on user devices.
Potential Impact
The impact of DBSC is a reduction in the risk of account takeovers via stolen session cookies, which have historically been abused to bypass multi-factor authentication and hijack user accounts. By cryptographically binding session cookies to a device's hardware security module, attackers cannot reuse stolen cookies on other devices. This mitigates threats from malware and information-stealing operations that restore or reuse expired authentication cookies. No known exploits are currently reported in the wild, indicating the feature is effective at preventing this attack vector.
Mitigation Recommendations
DBSC is enabled by default for all Google Workspace customers and rolling out to personal Google accounts and Workspace Individual subscribers. Administrators cannot disable this feature. Users and organizations should ensure they are running updated versions of Google Chrome to benefit from this protection. No additional user action is required to enable DBSC. Google recommends continuing to remove malware from devices and using Chrome's Enhanced Safe Browsing mode for broader phishing and malware protection. Patch status is not applicable as this is a new security feature rollout rather than a vulnerability patch.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/google-chrome-adds-session-cookie-theft-protection-for-all-users/","fetched":true,"fetchedAt":"2026-05-29T12:18:34.714Z","wordCount":706}
Threat ID: 6a19841ae29bf47b50e2f182
Added to database: 5/29/2026, 12:18:34 PM
Last enriched: 5/29/2026, 12:18:42 PM
Last updated: 5/29/2026, 6:15:03 PM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.