Google Chrome Now Makes Stolen Session Cookies Useless With Device Bound Session Credentials

Introduction

Google has shipped Device Bound Session Credentials (DBSC) to all Windows users on Chrome 146, a feature that cryptographically binds authentication sessions to the user's physical device. Stolen session cookies — the backbone of infostealer-driven account takeovers — become worthless the moment they leave the machine. macOS support is coming in a future release.

What Happened

Session cookie theft has been one of the most effective attack techniques in recent years. Infostealers like Raccoon, Vidar, and Lumma harvest browser cookies and sell them on dark web markets, giving buyers instant access to victims' authenticated sessions — no password needed. Traditional defenses have been largely ineffective because once malware has access to a machine's memory or local files, there is no software-only way to prevent cookie exfiltration.

DBSC changes the equation by generating a unique public/private key pair backed by the device's hardware security module (TPM). When a website opts into DBSC, Chrome creates short-lived session cookies and periodically proves to the server that it still possesses the private key. Because the private key is stored in hardware and cannot be exported, any cookies stolen by malware expire almost immediately and are useless to the attacker — even if they have the cookie data, they can't prove device possession.

Google reports that early deployments of the protocol already demonstrated a significant reduction in session theft. The feature was built as an open W3C web standard with input from Microsoft and Okta, and implementation guides are available for web developers who want to adopt it.

Why It Matters

Cookie theft has powered some of the biggest breaches and account takeover waves of the past two years. Infostealers are cheap, widely available, and the stolen cookies they produce are immediately usable — until now. DBSC is the first browser-native defense that makes stolen session tokens fundamentally worthless rather than just harder to steal. For enterprises, this dramatically reduces the damage radius of infostealer infections: even if a machine is compromised, the attacker can no longer use harvested cookies to pivot into cloud services, email, admin panels, or SaaS platforms. The fact that it's an open standard means other browsers can adopt it, potentially making cookie theft a dead technique industry-wide.

Who Is Affected

  • Positively affected: All Chrome 146 users on Windows gain automatic protection on sites that support DBSC
  • Websites: Must implement DBSC registration and refresh endpoints to participate (guides available from Google)
  • Attackers: Infostealer operators who rely on cookie theft as a monetization vector face a significant disruption to their business model
  • macOS users: Not yet covered; support is expected in an upcoming Chrome release

How to Protect Yourself

1. Update Chrome to version 146 or later

chrome://settings/help

Verify the version is 146+. For enterprise deployments, push the update through your browser management tool.

2. Verify DBSC is enabled

Navigate to Chrome's internal flags or settings:

chrome://flags/#device-bound-session-credentials

Ensure it is set to "Enabled" or "Default" (enabled by default in Chrome 146).

3. Adopt DBSC on your web applications

If you run web services, implement the DBSC protocol. Google provides a developer guide:

https://developer.chrome.com/docs/web-platform/device-bound-session-credentials

The integration involves adding registration and refresh endpoints that validate the device-bound key during session creation and rotation.

4. Enforce Chrome 146+ as the minimum browser version in your organization

Use Group Policy or your MDM platform to set a minimum browser version:

Software\Policies\Google\Chrome\MinimumVersionRequired = "146"

This ensures all managed endpoints benefit from DBSC.

5. Continue layering defenses against infostealers

DBSC protects sessions but doesn't prevent malware from running. Continue investing in:

  • EDR with infostealer detection capabilities
  • Application control / allowlisting
  • Phishing-resistant MFA (FIDO2/passkeys) for critical accounts
  • Network monitoring for known stealer C2 domains

Source

Google Rolls Out Cookie Theft Protections in Chrome — SecurityWeek