Google Chrome adds session cookie theft protection for all users
Patch: Enable DBSC in Chrome for all users and verify default setting to block stolen session cookies.
Patch: Enable DBSC in Chrome for all users and verify default setting to block stolen session cookies.
Summary
Google has made its Device Bound Session Credentials (DBSC) feature generally available, rolling it out to all users to prevent account takeovers.
DBSC, first announced in 2024, cryptographically binds session cookies to a device’s hardware, such as the TPM on Windows or the Secure Enclave on macOS, making stolen cookies unusable without the device’s private key. The feature is now enabled by default for Google Workspace customers, Workspace Individual subscribers, and personal Google accounts, and administrators cannot disable it. DBSC addresses past abuse of the undocumented OAuth “MultiLogin” API and malware that restored expired Google authentication cookies. By binding cookies to the device, DBSC shifts defense from reactive detection to proactive prevention, ensuring that exfiltrated cookies cannot be used to access accounts. The rollout includes enhanced Safe Browsing and protects against session theft even if malware is present on the user’s device. Google emphasises that DBSC reduces the risk of session theft and makes it more difficult for attackers to exploit stolen cookies.
Key changes
- DBSC now GA and rolls out to all users
- Cryptographically binds session cookies to device hardware (TPM, Secure Enclave)
- Prevents stolen cookies from bypassing MFA
- Enabled by default for Workspace customers; admins cannot disable
- Addresses abuse of OAuth MultiLogin API and cookie restoration malware
- Shifts defense to proactive prevention of session theft
- Protects even if malware is present on the device
- Enhances Safe Browsing and reduces session theft risk