Back

Google Chrome Enhances Security Against Session Cookie Theft with DBSC

Severity: Medium (Score: 51.9)

Sources: Bleepingcomputer, Feeds.Feedburner

Summary

On April 9, 2026, Google announced the public availability of Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, aimed at preventing session cookie theft by infostealer malware. This new feature will soon extend to macOS users in a future update. DBSC works by cryptographically binding session cookies to specific hardware, utilizing security chips like the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS. This mechanism ensures that even if session cookies are exfiltrated, they cannot be used by attackers due to the unique private key tied to the user's device. The implementation of DBSC is a proactive measure against session theft, which has been a significant threat due to the sophistication of malware like LummaC2. Google has been testing DBSC over the past year and has reported a notable decline in session theft incidents during this period. The protocol is designed to enhance user privacy by minimizing information exchange and preventing correlation of user activity across sessions. Key Points: • DBSC protects against session cookie theft by binding sessions to specific hardware. • The feature is currently available for Windows in Chrome 146, with macOS support coming soon. • Google observed a decline in session theft incidents during DBSC's testing phase.

Key Entities

  • Malware (attack_type)
  • LummaC2 (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1555.003 - Credentials From Web Browsers (mitre_attack)
  • MacOS (platform)
  • Secure Enclave (platform)
  • Trusted Platform Module (platform)
  • Windows (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed