Google Chrome rolls out Device Bound Session Credentials to all users to prevent cookie theft
Google is making Device Bound Session Credentials (DBSC) generally available in Chrome to cryptographically bind authentication sessions to devices, thwarting cookie theft by infostealer malware and phishing kits.
Google has announced that the Device Bound Session Credentials (DBSC) security feature is now generally available and rolling out to all Chrome users. DBSC cryptographically binds authentication sessions to the device, rendering stolen cookies unusable on other machines. This addresses a key attack vector used by infostealer malware and adversary-in-the-middle (AitM) phishing kits to compromise online accounts.
The feature was first tested in Chrome 135 and has now been enabled by default for all users. DBSC works by generating a cryptographic key pair on the device and binding the session to that key. When a user logs into a website, the browser creates a device-bound credential that is tied to the device's hardware. If an attacker steals the session cookie, it cannot be used on another device because the cryptographic proof of possession fails.
This protection is particularly important against infostealer malware, which has become a major threat in recent years. These malware strains often steal cookies from browsers to hijack authenticated sessions, bypassing multi-factor authentication. DBSC makes such stolen cookies useless, as they lack the device-bound cryptographic signature.
Google has been working with industry partners to develop the DBSC standard, which is part of a broader effort to improve web authentication security. The feature is supported by major websites and identity providers, including Google itself. Users do not need to take any action to enable DBSC; it is automatically active in the latest Chrome versions.
The rollout comes amid a surge in cookie theft attacks, with threat actors increasingly targeting session tokens to bypass security measures. By binding sessions to devices, DBSC provides a strong defense against this attack vector, even if the user's device is infected with malware.
Security experts have welcomed the move, noting that cookie theft has been a persistent problem that traditional security measures have failed to address. DBSC represents a significant step forward in protecting user accounts from takeover, especially for high-value targets such as corporate accounts and cloud services.
Google plans to continue refining DBSC and encourage broader adoption across the web ecosystem. The company also advises users to keep their browsers updated and use strong, unique passwords alongside multi-factor authentication for additional security.