The move targets so-called infostealers, malware strains built to scrape credentials, browser data and authentication tokens from compromised machines. Session cookies are especially valuable because they can let attackers gain access to accounts without needing a password or even a one-time code if the session has already been authenticated. Google said session theft remains a significant threat and argued that binding session credentials to hardware-backed keys offers a stronger line of defence than traditional browser storage alone.
Under the new approach, Chrome helps websites verify that a session credential has not been exported from the original device. Rather than relying only on a cookie that can be copied and replayed elsewhere, the browser can present proof linked to a private key protected by the device, including through hardware security features such as TPM-style storage where available. That means a criminal who steals a cookie file may still be unable to reuse it on another machine. Google first outlined the concept in April 2024 as an open web proposal and has since pushed it through testing toward broader deployment.
Chrome’s latest step also fits into a wider security effort that has been building for nearly two years. In July 2024, Google introduced App-Bound Encryption in Chrome 127 on Windows, a measure aimed at preventing other software running under the same logged-in user account from easily reading sensitive browser data such as cookies. That protection raised the bar, but security researchers and threat intelligence firms have shown that attackers continued to adapt, using techniques such as remote debugging abuse, memory scraping and interface manipulation to get around earlier safeguards.
That cat-and-mouse dynamic explains why the latest rollout matters. Device Bound Session Credentials does not replace existing protections; it adds another layer by focusing on what happens after a cookie is stolen. If App-Bound Encryption tried to make theft harder, DBSC is designed to make the loot less valuable. Security specialists have long warned that infostealer operators thrive because browser-stored sessions are portable, easy to monetise and useful for breaking into email, cloud dashboards, collaboration platforms and financial services. By limiting portability, Google is trying to erode part of that business model.
There are, however, important caveats. The protection is not a universal switch that instantly shields every Chrome user on every website. Sites must support the mechanism for the full benefit to take effect, and the rollout itself is gradual. Google’s enterprise release notes indicate Chrome 145 began the rollout on Windows, while Chrome 146 broadens availability there; macOS support is expected in Chrome 147. Administrative controls are also being added for managed environments, suggesting the company expects adoption to be significant in enterprise settings where account takeover poses outsized risk.
The feature also underscores a broader shift in browser security thinking. For years, the industry concentrated on securing passwords and pushing multifactor authentication. Infostealers exploited the gap by going after the authenticated session instead. That has become a central weakness in modern web security because users can do everything right and still lose control of an account if malware lifts the browser state after login. Google acknowledged as much in its latest explanation, noting that once malware lands on a device, software-only protections have limits. DBSC is best seen as damage reduction rather than a complete cure.
For website operators, the rollout may carry strategic implications beyond Chrome itself. Google has framed DBSC as an open standard effort rather than a proprietary browser trick, and Chromium documentation positions it as a web-platform capability for authentication flows. That could encourage wider developer experimentation, particularly among large platforms with high-value user sessions and strong incentives to cut account hijacking. If adoption spreads, the change may gradually reshape how persistent logins are managed across the web.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
