Google has announced the general availability of the Chrome Device Bound Session Credentials (DBSC) security feature, which aims to prevent account takeovers by binding session cookies to specific devices. This proactive measure is designed to thwart hackers from exploiting stolen cookies to bypass multi-factor authentication (MFA) and compromise user accounts.
Initially introduced in beta in April and officially launched in 2024, DBSC works by securely linking user sessions to the hardware of their devices, such as the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS. By generating unique public/private keys within the security chip, sensitive data is encrypted and decrypted, making it virtually impossible for attackers to steal and misuse session cookies.
According to Google, “DBSC fundamentally changes the web’s capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users’ accounts.”
The feature, now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts, strengthens account security post-login by binding session cookies to the authenticated device. This significantly reduces the risk of session theft, even in the presence of malware on the user’s device.
Google assures that DBSC will be enabled by default for all Google Workspace customers upon rollout, with administrators unable to disable it. This move comes in response to past incidents where threat actors exploited vulnerabilities, such as the undocumented Google OAuth “MultiLogin” API endpoint, to gain unauthorized access to user accounts.
Furthermore, the introduction of DBSC aims to counter information-stealing malware operations like Lumma and Rhadamanthys, which have leveraged expired Google authentication cookies to compromise user accounts. By preventing malicious actors from accessing the cryptographic keys necessary to use stolen cookies, DBSC significantly enhances account security.
Google recommends users remove malware from their devices and activate Chrome’s Enhanced Safe Browsing security mode to defend against phishing and malware attacks. However, the implementation of DBSC is expected to provide an additional layer of protection against such threats.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
