UNIT.City — місце, де люди працюють... КРАЩЕ! Обирай свій простір просто зараз 👉
Наталя ХандусенкоGadgets
29 May 2026, 17:35
2026-05-29
Google Chrome adds protection against session cookie theft for all users
Google announced that Chrome's Device Bound Session Credentials (DBSC) security feature is becoming publicly available and rolling out to all users to prevent account hijacking.
Google announced that Chrome's Device Bound Session Credentials (DBSC) security feature is becoming publicly available and rolling out to all users to prevent account hijacking.
DBSC, which has been in beta testing since April, was first announced in 2024. It cryptographically binds session cookies to a specific device, preventing hackers from using stolen cookies to bypass multi-factor authentication and hijack user accounts, BleepingComputer reported .
Because the unique public and private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen. This prevents attackers from using stolen session cookies.
“DBSC fundamentally changes the web’s ability to defend against this threat. It shifts the paradigm from reactive detection to proactive prevention, ensuring that successfully stolen cookies cannot be used to access user accounts,” Google said in April.
The company added this week: “DBSC strengthens account security after a user is logged in and helps tie session cookies — small files used by websites to remember information about a user — to the device from which authentication was performed. Even if the user’s device had malware, DBSC reduces the risk of session theft and makes it significantly more difficult for attackers to exploit stolen cookies.”
This feature is currently rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google Accounts.
Google added that once deployed, it will be enabled by default for all Google Workspace customers, and administrators will not be able to disable it.
In the past, attackers have abused an undocumented Google OAuth API endpoint called “MultiLogin” to create new authentication cookies after stolen ones expire.
Lumma and Rhadamanthys malware information theft operations Lumma and Rhadamanthys also claimed to be able to recover expired Google authentication cookies stolen during attacks to gain access to infected users' accounts.
At the time, Google advised customers to remove malware from their devices and recommended enabling Enhanced Safe Browsing in Chrome to protect against phishing and malware attacks.
However, the new DBSC security feature should effectively block attackers from being able to use such stolen cookies, as they will not have access to the cryptographic keys needed for them to work.