Google Chrome’s New Feature Takes Aim at Cookie Theft, Account Hijacking
Google Chrome is making stolen login cookies a lot less useful.
Google has begun rolling out Device Bound Session Credentials, a security feature that ties some Chrome sessions to the device that created them. The goal is to make it harder for attackers to use stolen session cookies to hijack accounts, even when they have already bypassed passwords or MFA.
That matters because cookie theft has become a quiet shortcut for account takeovers. Instead of breaking into an account at the front door, attackers can sometimes steal the browser token that proves a user is already logged in.
How DBSC protects session cookies
A session cookie is a unique token that identifies an authenticated user across a web session.
Once a user logs in, the server generates this token, and the browser includes it in subsequent requests, allowing the server to automatically validate that session without requesting credentials again. Its validity remains for a defined period or until a user manually clears it.
In addition to web authentication, it is also used to track a user’s actions, such as navigation progress or, on e-commerce platforms, items added to the cart.
Because session cookies reside in the browser’s data and their possession can be enough to impersonate a user’s ID on websites, threat actors actively target them through malware and other exfiltration techniques. That has led to repeated successes in session hijacking attacks, resulting in account takeovers.
Google’s response to this is DBSC.
Google first announced the feature in 2024, before launching it in May of this year. Rather than merely allowing the generation and storage of a session cookie, DBSC cryptographically binds that session to a chip in the device. Google says that it uses the Trusted Platform Module (TPM) on Windows devices and the Secure Enclave on macOS to generate private and public keys for each session cookie.
Doing this now makes a stolen session cookie extremely difficult for threat actors to exploit, as they will also need to obtain the target’s unique hardware keys.
Important details users should know
The feature is available to all Google users, regardless of whether they are part of a workspace. For Workspace users, Google says it requires no admin input to enable. It also says that the feature can’t be turned off.
While the feature has begun rolling out, to ensure that your Chrome gets it, check that:
- You are running at least Chrome version 146 on Windows and version 148 on macOS.
- Your device has TPM and Secure Enclave. Google did not specify which TPM version is required, but it noted that TPM is standard on Windows 11 devices.
- Since Windows 11 requires at least TPM 2.0, devices stuck on Windows 10 might not receive the feature. For macOS users, check whether your device supports Secure Enclave.
Also, there is no confirmation yet on whether this feature is available for mobile devices or when it may be.
For the millions of Chrome users who have been at high risk of session cookie theft, this feature may now make a threat actor think twice before attempting that technique.
However, users should remain safe and adhere to secure browsing practices, as the security landscape never rests on either side.
Also read: Apple is reportedly testing an iPhone anti-snatching feature that could lock stolen devices using motion signals and familiar-location checks.
About Author
