Google is rolling out a new security feature in Chrome aimed at stopping one of the most common techniques used by cybercriminals to hijack online accounts: stealing session cookies through infostealer malware.
Starting with Chrome 146 on Windows, Google has enabled Device Bound Session Credentials (DBSC), a feature designed to make stolen session cookies far less useful to attackers. Support for macOS is expected to arrive in future browser updates as well.
This new layer of Chrome infostealer protection addresses a serious issue. Many infostealers are capable of extracting session cookies stored in the browser, allowing attackers to access an account without needing a username or password. Since these cookies can remain valid for a long time, the risk is not limited to a one-time breach and may continue over an extended period.
To reduce that risk, Google developed DBSC, a system that cryptographically ties session cookies to the device where they were created. On Windows, the feature relies on the Trusted Platform Module (TPM), while on macOS it uses the Secure Enclave. In both cases, the browser generates a unique public and private key pair, with the private key securely stored on the device and unavailable for export.
In practice, when Chrome requests new short-lived session cookies, it must prove to the server that it owns the matching private key. That means even if an attacker manages to steal the cookies, they cannot keep using them for long because they do not have access to the cryptographic key required to validate the session.
Google also says the architecture behind DBSC was built with privacy in mind. Each session is protected by a unique key, which prevents websites from linking a user’s activity across separate sessions or across different sites on the same device. No device identifiers or additional tracking data are sent to the server, aside from the public key needed to verify proof of possession.
With this update, Chrome infostealer protection becomes a meaningful step forward in defending users against account takeover attempts, while still preserving privacy.
