Session hijacking has become a prized technique for criminal groups because it can sidestep the protections that many users and companies rely on after login. Rather than guessing passwords, attackers infect a device with infostealer malware, extract valid browser cookies and other authentication artefacts, and then replay them elsewhere. Google’s security team said malware families such as LummaC2 have become more adept at collecting these credentials, while Mandiant has separately warned that credentials stolen through infostealer operations have become a significant initial access vector in real-world investigations.
The new system changes the balance by using hardware-backed security already built into modern devices. On Windows, Chrome can use the Trusted Platform Module to create a cryptographic key pair whose private key cannot be exported. For supported web services, Chrome then proves possession of that key when short-lived session cookies need to be refreshed. If a criminal steals the cookie alone, it should expire without providing durable access because the attacker cannot present the matching device-bound key. Google described that as a shift from detecting abuse after the theft to preventing a stolen session from remaining valuable in the first place.
For websites, the upgrade is not automatic in every case. Google’s developer documentation says site operators need to add registration and refresh endpoints and adopt headers that let Chrome enrol a session into the DBSC flow. The company has pitched the design as additive rather than disruptive, arguing that most front-end logic can remain intact while the browser handles key possession checks and cookie refresh behind the scenes. That may help adoption, but it also means the wider security benefit will depend on how quickly large identity providers, SaaS groups and other online platforms decide to implement it.
That caveat matters because the threat is broadening, not narrowing. SpyCloud said its 2026 identity exposure report recaptured 8.6 billion stolen cookies and session artefacts, underlining how heavily criminals are targeting authenticated sessions rather than just usernames and passwords. Recorded Future said 276 million credentials observed in 2025 carried active cookies, arguing that any infostealer-driven exposure now demands session invalidation as well as password resets. Those figures do not measure the whole cybercrime economy, but they reinforce a wider industry view that the post-login layer has become a primary battleground.
Google has also been careful not to oversell the change. Its own technical guidance says that where secure key storage is unavailable, DBSC falls back to standard behaviour so sites do not break. That preserves compatibility, but it also means protection will be strongest on machines with the right hardware and on services that choose to deploy the new protocol fully. Sophisticated attackers who control a victim’s live machine may still find ways to act while the device remains compromised, even if replaying stolen cookies from a separate system becomes harder. The feature is therefore better understood as raising the cost of session theft than eliminating account compromise outright.
The timing also reflects a wider contest between browser makers and malware operators. Chrome’s move lands as defenders report a surge in stealers aimed at browsers on both Windows and Mac systems, with criminal services packaging credential theft into low-cost, scalable offerings. Security specialists have spent years telling organisations that MFA alone is not enough once a valid session token has been taken. By binding sessions to hardware, Google is trying to close a gap that has persisted through multiple waves of browser hardening.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
