Google Launches Device Bound Session Credentials in Chrome to Block Cookie Theft
Google said Device Bound Session Credentials (DBSC) is entering public availability for Windows users in Chrome 146, with macOS support planned for a future release. The feature is designed to blunt session hijacking by cryptographically binding a web session to a specific device, using hardware-backed security such as the TPM on Windows and the Secure Enclave on macOS.
Under DBSC, stolen session cookies cannot be reused on another system because Chrome must prove possession of a non-exportable private key before a site issues refreshed short-lived cookies. Google said an early version of the protocol has already produced a significant reduction in session theft, including attacks associated with infostealer malware such as LummaC2, and added that the privacy-preserving standard is being developed through the W3C with input from companies including Microsoft and Okta, with future work focused on federated identity, stronger registration options, and broader device support.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google announces DBSC public availability for Windows in Chrome 146
Google announced that Device Bound Session Credentials is entering public availability for Windows users in Chrome 146. The feature uses hardware-backed security such as the TPM to cryptographically bind web sessions to a device and is being advanced as an open web standard through the W3C process.
Google rolls out early DBSC deployment and observes reduced session theft
Google said it had already deployed an early version of Device Bound Session Credentials and observed a significant reduction in session theft for protected sessions over the last year. The mechanism binds session renewal to a non-exportable device key, making stolen cookies harder to reuse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Google Chrome Update Disrupts Infostealer Cookie Theft
hackread.com
Open sourceGoogle Unveils Device-Bound Chrome Sessions in Anti-Cookie-Theft Move
cybersecuritynews.com
Open sourceChrome 146 introduces device bound session credentials to combat info-stealing malware | brief | SC Media
scworld.com
Open sourceGoogle Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows
thehackernews.com
Open sourceGoogle Chrome 146 Updates Device Bound Session Credentials to Stop Session Cookie Theft on Windows - gHacks Tech News
ghacks.net
Open sourceGoogle Online Security Blog: Protecting Cookies with Device Bound Session Credentials
security.googleblog.com
Open sourceGoogle Online Security Blog: Protecting Cookies with Device Bound Session Credentials
security.googleblog.com
Open sourceGitHub - w3c/webappsec-dbsc: Device Bound Session Credentials: A Protocol for Protecting From Cookie Theft · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Rolls Out Device-Bound Session Credentials to Block Cookie Theft
Google has made **Device Bound Session Credentials (DBSC)** generally available in Chrome, rolling it out for Google Workspace customers, Workspace Individual subscribers, and personal Google accounts to blunt account takeovers driven by stolen session cookies. The feature cryptographically binds a session cookie to the device where authentication occurred, using hardware-backed protections such as the **Trusted Platform Module** on Windows and **Secure Enclave** support on macOS, so exfiltrated cookies cannot be replayed on another machine to bypass MFA. Google said DBSC is enabled by default for Workspace customers, integrates with **Context-Aware Access** for device-aware policy decisions, and exposes binding events in audit logs to help administrators monitor session integrity. The move follows sustained abuse of stolen Google authentication artifacts by infostealers and adversaries leveraging mechanisms such as the undocumented OAuth **MultiLogin** API, with operators tied to **Lumma** and **Rhadamanthys** claiming they could restore expired cookies. At the same time, researchers at Phishu disclosed **VaultJacking**, a phishing technique that can steal an entire Google Password Manager vault after capturing a victim’s 6-digit PIN, then registering an attacker-controlled device to sync passwords and passkeys without malware or prior device compromise. Phishu said the attack sidesteps DBSC because it does not rely on replaying stolen cookies, underscoring that Google’s new protection sharply reduces pass-the-cookie risk but does not stop credential- and PIN-based phishing against synced account data.
Jun 2, 2026
Google Chrome Security Enhancements Against Account Takeover and Prompt Injection Threats
Google has introduced new layered security defenses in Chrome to address the growing risks of indirect prompt injection attacks and account takeovers, particularly as the browser integrates more agentic AI capabilities. Key features include the User Alignment Critic, which independently evaluates and vetoes potentially malicious actions by Chrome's AI agent, and Agent Origin Sets, which restrict the agent's data access to only relevant or user-approved sources. These measures are designed to prevent attackers from exploiting untrusted web content to hijack user sessions or exfiltrate sensitive data, and to mitigate site isolation bypasses that could compromise user privacy and security. In parallel, Google has acknowledged a surge in account takeover incidents targeting Chrome users, where attackers steal credentials, authentication codes, and session cookies to access synchronized data stored in the cloud. The company is urging users to strengthen their authentication methods and reconsider the use of browser-based password managers, as a single compromised account can expose a wide range of personal information. Google is also rolling out additional protections for Workspace accounts to counteract these threats and safeguard user data across its ecosystem.
Mar 21, 2026
Malicious Chrome Extensions Steal and Inject Session Cookies to Hijack Enterprise Accounts
Researchers reported a coordinated operation involving at least five **malicious Chrome extensions** masquerading as productivity or security tools, designed to **hijack enterprise web sessions** by stealing authentication cookies/session tokens. The extensions targeted business platforms such as **Workday, NetSuite, and SAP SuccessFactors**, where possession of a valid session token can enable access without re-entering credentials; telemetry indicated some variants attempted to **exfiltrate cookies as frequently as every 60 seconds**. Prior to takedown requests to Google, the campaign was estimated to have reached **2,300+ installs**. One variant, **Software Access**, was described as particularly advanced because it supported **bidirectional cookie injection**—using Chrome APIs such as `chrome.cookies.set()` to implant stolen session cookies into an attacker-controlled browser, effectively recreating an authenticated session. Investigators noted the extensions shared **identical infrastructure patterns** despite being published under different names (including multiple under “databycloud1104”), supporting attribution to a single coordinated actor. Recommended mitigations included stricter enterprise controls over browser extensions (vetting and limiting permissions, especially cookie access), removing unnecessary add-ons, and monitoring for anomalous session activity and extension behavior to detect session hijacking attempts earlier.
Mar 21, 2026