entry_summary>Google announces general availability of Chrome Device Bound Session Credentials (DBSC), a security feature that cryptographically binds session cookies to the device's hardware root of trust to prevent account takeover. The feature, rolled out to all Google Workspace, Workspace Individual and personal Google accounts, blocks attackers from using stolen session cookies even if malware is present. Google states DBSC shifts defense from reactive detection to proactive prevention, making stolen cookies unusable without the device‑specific private keys.</entry_summary>
| IOC Type | Value | Description | Relevant MITRE ATT&CK Techniques |
|---|---|---|---|
| Domain |
oauth2.googleapis.com
|
Undocumented OAuth MultiLogin API endpoint abused to generate new authentication cookies after session expiration. | T1078|T1552.001|T1071.001 |
| Code | Title |
|---|---|
| T1078 | Valid Accounts – use of stolen session cookies as legitimate credentials |
| T1552.001 | Unsecured Credentials – session cookies not protected by encryption |
| T1071.001 | Application Layer Protocol: Web Protocols - Web Protocol – session cookies transmitted via web protocols |
| Type | Value |
|---|---|
| Other | personal Google accounts |
| Sector | cloud services |
Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. Available in beta since April , DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device, preventing hackers from using such stolen cookies to bypass multi-factor authentication (MFA) and hijack users' accounts. DBSC works by cryptographically linking user sessions to the hardware, such as their computer's security chip (e.g., the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS). Since the unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen, preventing attackers from using stolen session cookies. "DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users' accounts," Google said in April. "DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user's device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies," it added this week . How DBSC works (Google) The feature is now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with
The Lumma and Rhadamanthys information-stealing malware operations have also claimed that they could restore expired Google authentication cookies stolen in attacks to gain access to infected users' Google accounts. At the time, Google advised customers to remove malware from their devices and recommended enabling Chrome's Enhanced Safe Browsing security mode to defend against phishing and malware attacks. However, the new Chrome Device Bound Session Credentials (DBSC) security feature should effectively block malicious actors from abusing such stolen cookies, as they will not have access to the cryptographic keys required to use them. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now