Since April 9, 2026, Google has implemented cryptographic protection in Chrome 146 on Windows, designed to neutralize one of the most widespread techniques in the cybercriminal arsenal: session cookie theft.
Google is directly targeting one of the most coveted prizes by cybercriminals: session cookies.
These small files stored in the browser allow users to stay logged into an account without retyping their password, providing direct access to messaging, social networks, banking services, or a victim’s professional tools without the need for their credentials.
This is precisely what infostealers aim for, the malware specializing in collecting data on compromised machines. Families like Lumma, for example, systematically include a module dedicated to extracting cookies stored by browsers.
The stolen information is then sold in cybercriminal markets, and buyers can use these cookies to directly access targeted accounts, a technique known as session hijacking.
To counter this mechanism, Google launched the development of a structural response called DBSC, short for Device Bound Session Credentials in 2024.
Deployed on April 9, 2026, for Windows users of Google Chrome, this technology aims to render each cookie unusable outside the device on which it was created.
The principle of DBSC is to make a session cookie inseparable from the device on which it was created.
Concretely, Chrome generates a pair of cryptographic keys and stores the private key in the device’s security chip, TPM (Trusted Platform Module) on Windows, or the Secure Enclave on macOS. Components designed to never expose the key they are entrusted with. They can use it to sign data but never communicate it externally.
Now, with each session cookie renewal, Chrome must prove to the server that it holds this key by signing a message with it. The server verifies the signature before issuing a new temporary cookie.
An attacker could still steal the cookie but not the key, which remains confined in the chip. When the cookie expires, it becomes impossible to renew it without this cryptographic proof.
In summary, before DBSC, stealing the cookie was enough. After DBSC, stealing the device is also required.
Google claims to have seen a significant reduction in session theft since the open beta test launch in July 2025.
Currently, the general deployment only concerns Windows users on Chrome 146, with an extension to macOS planned in the coming months. On devices equipped with compatible security chips, the browser automatically reverts to the classic behavior without DBSC protection.
The standard was developed in partnership with Microsoft to become an open web standard that other browsers can adopt in the future.
