{"id":559,"date":"2026-04-10T08:49:01","date_gmt":"2026-04-10T08:49:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=559"},"modified":"2026-04-10T08:49:01","modified_gmt":"2026-04-10T08:49:01","slug":"google-rolls-out-dbsc-in-chrome-146-to-block-session-theft-on-windows","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=559","title":{"rendered":"Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 10, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Browser Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiC-kFnk6uDzN76983rxMJBgJzi5ByxqZ0SM5RAfG1171e3I_lRUCBHIZ0kmMRkxERMiWEO9WRX3D6mkadUuRhw69KYHi4VzPrIa4s4IVilNmFANa2EMbuk1blKF_4ChwqIBuTb4FLj_dqhTDUDsivEnw8OmDL85giaaJTiqATwZArXUq6_3_X7tfd_RLbV\/s1700-e365\/chrome-cookies.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Google has\u00a0made <strong>Device Bound Session Credentials<\/strong>\u00a0(DBSC) generally available to all Windows users of its Chrome web browser, months after\u00a0it began\u00a0testing the security feature in open\u00a0beta.<\/p>\n<p>The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome\u00a0release.<\/p>\n<p>\u00abThis project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape,\u00bb Google&#8217;s Chrome and Account Security\u00a0teams <a href=\"https:\/\/security.googleblog.com\/2026\/04\/protecting-cookies-with-device-bound.html\">said<\/a> in a Thursday\u00a0post.<\/p>\n<p>Session theft involves the covert exfiltration of session cookies from the web browser, either by gathering existing ones or waiting for a victim to log in to an account, to an attacker-controlled\u00a0server.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Typically, this happens when users inadvertently download information-stealing malware into their systems. These\u00a0stealer malware families \u2013 of which there are many, such as Atomic, Lumma, and Vidar Stealer \u2013 come with capabilities to harvest a wide range of information from compromised systems, including\u00a0cookies.<\/p>\n<p>Because session cookies often have extended lifespans, attackers can leverage them to gain unauthorized access to victims&#8217; online accounts without having to know their passwords. Once\u00a0collected, these tokens are packaged and sold to other threat actors for financial gain. Cybercriminals who acquire them can follow up with their attacks of their\u00a0own.<\/p>\n<p>DBSC,\u00a0first announced by Google in April 2024, aims to counter this abuse by cryptographically tying the authentication session to a specific device. In\u00a0doing so, the idea is to render cookies worthless even if they get stolen by\u00a0malware.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxT7sVyKGgXDSeg-GcHvKWbpHvrvgjS8DhwcRhvZgtRD1s2dlh-40Q09IIcm7a0OkglGBZ0LVTsuWchqlL81h-rsLnyuEZHrqgx0LLa-ML1GD1P9-bjH17I6qqVddpw7X5CClHgglbcqtOP59HdaUkwOfBqJqhM0xjwlkwizGrFoG_tUUlvClxGnOK-Bbw\/s1700-e365\/cookie.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxT7sVyKGgXDSeg-GcHvKWbpHvrvgjS8DhwcRhvZgtRD1s2dlh-40Q09IIcm7a0OkglGBZ0LVTsuWchqlL81h-rsLnyuEZHrqgx0LLa-ML1GD1P9-bjH17I6qqVddpw7X5CClHgglbcqtOP59HdaUkwOfBqJqhM0xjwlkwizGrFoG_tUUlvClxGnOK-Bbw\/s1700-e365\/cookie.png\" alt=\"\" border=\"0\" data-original-height=\"828\" data-original-width=\"1364\"\/><\/a><\/div>\n<p>\u00abIt does this using hardware-backed security modules, such as the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS, to generate a unique public\/private key pair that cannot be exported from the machine,\u00bb Google explained.<\/p>\n<p>\u00abThe issuance of new short-lived session cookies is contingent upon Chrome proving possession of the corresponding private key to the server. Because attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless to those attackers.\u00bb<\/p>\n<p>In the event a user&#8217;s device does not support secure key storage, DBSC gracefully falls back to standard behavior without breaking the authentication flow,\u00a0Google <a href=\"https:\/\/developer.chrome.com\/docs\/web-platform\/device-bound-session-credentials\">said<\/a> in its developer documentation.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The tech giant said it has observed a significant reduction in session theft since its launch, an early indication of the success of the countermeasure. The\u00a0official launch is just the start, as the company plans to bring DBSC to a broader range of devices and introduce advanced capabilities to better integrate with enterprise environments.<\/p>\n<p>Google, which worked with Microsoft to design the\u00a0standard with an aim\u00a0to make it an open web standard, also emphasized that the DBSC architecture is private by design and that the distinct key approach ensures that websites cannot use the session credentials to correlate a user&#8217;s activity across different sessions or sites on the same\u00a0device.<\/p>\n<p>\u00abFurthermore, the protocol is designed to be lean: it does not leak device identifiers or attestation data to the server beyond the per-session public key required to certify proof of possession,\u00bb it added. \u00abThis minimal information exchange ensures DBSC helps secure sessions without enabling cross-site tracking or acting as a device fingerprinting mechanism.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 10, 2026Malware \/ Browser Security Google has\u00a0made Device Bound Session Credentials\u00a0(DBSC) generally available to all Windows users of its Chrome web browser, months after\u00a0it began\u00a0testing the security feature&hellip;<\/p>\n","protected":false},"author":1,"featured_media":560,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1009,182,1160,2,1159,1161,526,307],"class_list":["post-559","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-block","tag-chrome","tag-dbsc","tag-google","tag-rolls","tag-session","tag-theft","tag-windows"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=559"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/559\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/560"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}