Chrome Bolsters Security with DBSC Against Cookie Theft

Are you worried about malware stealing your credentials and gaining access to your online accounts? Google Chrome has just implemented an invisible defense that protects your sessions from cookie theft, a growing threat across the internet. This new feature, known as DBSC, is now rolling out for all personal and Google Workspace accounts, according to a Google Workspace blog post, starting May 29, 2026.

This implementation addresses a frequent problem online: attackers use malware to extract login cookies saved on your hard drive. By cloning these files onto another computer, hackers can access your profiles without needing to know your password or bypass two-step verification. It's a stealthy and highly effective technique for circumventing traditional security barriers.

Chrome uses a technology called Device Bound Session Credentials (DBSC), which associates the login with your computer's physical components.

DBSC technology neutralizes this method by changing how the browser manages your identity. Chrome directly associates the login with your computer's physical components. This means that access data no longer functions as passes that anyone can copy and use from another location; instead, they are intrinsically linked to your specific device.

A major advantage of this system is its complete transparency. It requires no manual configuration from the user. The process runs entirely automatically in the background every time you log into a compatible service from an updated version of the browser. Integrated directly into Chrome, this defense remains active continuously without you noticing any impact on performance while visiting your usual websites.

According to the GitHub repository, DBSC shifts security responsibility to hardware through the use of advanced cryptography. When you log into a platform, the browser generates a unique key pair. The private key is securely stored within your computer's security chip. These components are specifically designed to prevent data export, ensuring the private key always remains safe on your device.

From that moment on, the website's server implements a constant verification mechanism. When a session cookie expires, the browser must prove it still possesses the original private key to receive an automatic renewal of access data. If an attacker manages to steal your temporary session files via a Trojan, the server will demand a cryptographic proof that only your physical chip can sign.

Google states that this strategy significantly changes the cybersecurity landscape. It forces attackers to operate strictly within the infected machine. While an active virus could perform actions while controlling the system, it will lose all access capabilities the moment it is removed from the computer. This drastically reduces the risk of persistent and remote access.

DBSC protection will be rolled out starting May 29, 2026, for all Chrome users with a personal or work account. The deployment will be gradual and activated by default, removing any barriers to adoption. Google emphasized that limiting the validity of stolen data to a very brief period will help curb the credential selling ecosystem, a lucrative market for cybercriminals.