Google Chrome adds session cookie theft protection for all users
Recorded: May 29, 2026, 1:01 p.m.
| Original | Summarized |
Google Chrome adds session cookie theft protection for all users News Featured Glassworm botnet disrupted after resilient C2 infrastructure takedown CISA gives feds 4 days to patch actively exploited cPanel plugin flaw Windows 11 KB5089573 update released with performance improvements Charter confirms data breach after ShinyHunters extortion threat Google Chrome adds session cookie theft protection for all users Learn to hack, build security tools, and more for $70 in this course deal Man sent to prison for selling data of 7 millions elderly Americans US charges Google security engineer with Polymarket insider trading Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityGoogle Chrome adds session cookie theft protection for all users Google Chrome adds session cookie theft protection for all users By Sergiu Gatlan May 29, 2026 Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. How DBSC works (Google) The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Cookie Sergiu Gatlan Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Charter confirms data breach after ShinyHunters extortion threat Microsoft Defender can now automatically isolate hacked endpoints Windows 11 KB5089573 update released with performance improvements Sponsor Posts #1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends. AI is a data-breach time bomb: Read the new report Overdue a password health-check? Audit your Active Directory for free Protect Your Business from Ecommerce Fraud Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
Google is rolling out the Chrome Device Bound Session Credentials (DBSC) security feature to protect all users from session cookie theft and account takeovers. DBSC was introduced in 2024 as a mechanism to cryptographically bind user sessions to the specific hardware device from which they originate, utilizing security chips such as the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS. This binding process ensures that the unique public and private keys used for encrypting and decrypting sensitive data are generated and stored within the security chip, making them inaccessible to attackers even if session cookies are exfiltrated. The implementation of DBSC fundamentally shifts the security paradigm from reactive detection to proactive prevention regarding session hijacking. By linking session cookies, which are small files websites use to remember user information, directly to the authenticated device, the feature significantly reduces the risk associated with session theft. Even in scenarios where malware is present on a user's device, DBSC makes it substantially more difficult for malicious actors to exploit stolen cookies to bypass multi-factor authentication or hijack user accounts. Previous threat actors had exploited vulnerabilities, such as the undocumented Google OAuth MultiLogin API endpoint, to generate new authentication cookies after older ones had expired. Furthermore, information-stealing malware, including Lumma and Rhadamanthys, had demonstrated the ability to restore expired Google authentication cookies stolen during attacks to gain access to infected user accounts. The introduction of DBSC is designed to effectively block malicious actors from abusing these stolen credentials because they will lack access to the necessary cryptographic keys held by the hardware security chip. This new feature is being rolled out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts. Google has mandated that DBSC will be enabled by default for all Google Workspace customers and cannot be disabled by administrators. The feature strengthens account security immediately following a user login by ensuring that session cookies are securely tethered to the authenticating device. This development is presented by Sergiu Gatlan, who has covered cybersecurity and technology developments. |