Back

Google Chrome Enhances Security with Device Bound Session Credentials

Severity: Low (Score: 33.8)

Sources: Bleepingcomputer, workspaceupdates.googleblog.com, Androidauthority

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: google, chrome, getting, session, users, available, browser

Summary

Google has rolled out the Device Bound Session Credentials (DBSC) feature for Chrome to enhance security against session cookie theft. This feature binds session cookies to the device used for authentication, making it difficult for attackers to exploit stolen cookies. Initially introduced in beta in April 2026, DBSC is now available for all users, including Google Workspace customers. The rollout began on May 25, 2026, and is expected to be completed within 60 days. This proactive measure aims to prevent account takeovers, particularly in light of previous exploits using stolen cookies. Google emphasizes that even if malware is present on a device, DBSC significantly reduces the risk of session theft. The feature will be enabled by default, and administrators cannot disable it. Key Points: • Google Chrome's DBSC feature binds session cookies to the user's device. • The rollout began on May 25, 2026, and will be completed within 60 days. • DBSC aims to prevent account takeovers by making stolen cookies unusable.

Detailed Analysis

**Impact** All Google Chrome users, including personal account holders and Google Workspace customers globally, are affected by this security enhancement. The feature aims to prevent account takeovers resulting from stolen session cookies, which have been exploited by malware operations such as Lumma and Rhadamanthys. By binding session cookies to specific devices, the risk of unauthorized access to user accounts and sensitive data is significantly reduced, protecting millions of users across various sectors that rely on Google services. **Technical Details** The Device Bound Session Credentials (DBSC) feature cryptographically binds session cookies to the hardware security chip on the user’s device, such as TPM on Windows or Secure Enclave on macOS. This prevents attackers from reusing stolen cookies to bypass multi-factor authentication by requiring possession of the device-specific cryptographic keys. Previously, threat actors exploited Google OAuth’s undocumented MultiLogin API to generate new authentication cookies from expired ones. No CVEs or specific IOCs were mentioned in the articles. **Recommended Response** Defenders should ensure that Chrome is updated to the latest version where DBSC is enabled by default, particularly for Google Workspace environments where administrators cannot disable it. Users should maintain Enhanced Safe Browsing mode enabled to reduce phishing and malware risks. Monitoring for signs of OAuth token abuse and malware infections that attempt to steal session cookies remains important. No additional configuration is required as the rollout is automatic and gradual over 60 days.

Source articles (3)

  • Google Chrome adds session cookie theft protection for all users — Bleepingcomputer · 2026-05-29
    Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. Available in beta since April ,…
  • The Chrome browser is getting a big safety upgrade — Androidauthority · 2026-05-29
    Recently, Google announced that it is moving Ask Gemini in Google Meet to make it easier to notice. It appears that’s not the only Workspace announcement we’re getting today. Google is also making the…
  • Prevent Account Takeovers With DBSC Now Generally Available In The Chrome Browser For Windows — workspaceupdates.googleblog.com · 2026-05-29

Timeline

  • 2024-01-01 — DBSC feature announced: Google announced the Device Bound Session Credentials feature to enhance session security.
  • 2026-04-01 — DBSC enters beta testing: The Device Bound Session Credentials feature was made available in beta for testing.
  • 2026-05-25 — DBSC rollout begins: Google started rolling out the DBSC feature to all users, including Workspace customers.
  • 2026-05-29 — DBSC feature generally available: Google confirmed that the DBSC feature is now generally available for all Chrome users.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Lumma (Malware)
  • Rhadamanthys (Malware)
  • Google Chrome (Tool)
  • MultiLogin (Tool)
  • MacOS (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed