Serious Discussion Google Locks Chrome Sessions to Devices to Stop Cookie Theft

[HarborFront]

Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies.

Google Chrome adds infostealer protection against session cookie theft

Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies.

www.bleepingcomputer.com

 

[Wrecker4923]

According to Anavem,

Major cloud providers including Google Cloud, Microsoft Azure, and Amazon Web Services are expected to integrate DBSC support into their authentication services throughout 2026.

The technical/implementation explainer on Corbado says this:

Microsoft Edge & Windows

• Status: Edge ran a DBSC Origin Trial on Windows that ended October 2025. No replacement trial or GA has been announced.
• Enterprise Context: Edge utilizes the "Primary Refresh Token" (PRT) architecture for Entra/Azure AD SSO, which is conceptuallysimilar to DBSC. PRT remains a Microsoft-specific mechanism; there is no announced planto unify it with the DBSC web standard for third-party sites.

Mozilla Firefox

Mozilla has a standards-position issue evaluating DBSC with noted concerns about complexity and privacy. There is no public commitment to implement once the standard stabilizes.

With this and device-bound passkeys, it would become much harder to steal accounts. Infostealers have recently shifted to stealing session tokens; if this is widely adopted (unlikely in the short term), attackers may refocus on stealing passwords plus 2FA again.

 

[Parkinsond]

Can enable Device Bound Session Credentials (DBSC) security feature using chrome://flags

View attachment 297881

Currently it is enabled by default without tinkering with flags.

 

[Parkinsond]

According to Anavem,

The technical/implementation explainer on Corbado says this:

With this and device-bound passkeys, it would become much harder to steal accounts. Infostealers have recently shifted to stealing session tokens; if this is widely adopted (unlikely in the short term), attackers may refocus on stealing passwords plus 2FA again.

Is it going to be implemented for Edge and Brave, or it is just Chrome?

 

[HarborFront]

Is it going to be implemented for Edge and Brave, or it is just Chrome?

I just checked. All the flags are available in Brave whereas Edge only has the below flag

 

[Sampei.Nihira]

Hi to all.
The article specifies that the feature will be rolled out gradually.
This applies to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.

Therefore, it is not necessarily the case that those who do not enable the flags (there are three that provide the highest level of protection) are already protected by default.

 

[Morro]

I just checked. All the flags are available in Brave whereas Edge only has the below flag

View attachment 297883

Vivaldi seems to have a lot of them as well.

 

[Wrecker4923]

Therefore, it is not necessarily the case that those who do not enable the flags (there are three that provide the highest level of protection) are already protected by default.

It seems to me that I’ll get the protection fastest if I was on Chrome and use Google’s products. For browsers with experimental flags, I could get “experimental” protection for sites that support DBSC (mainly Google), but will that support last? For browsers on the fence (Firefox, as usual), I just fiddle my thumbs and daydream.

ps: Microsoft may be working on the extension to DBSC for Enterprise (DBSCE), so there is hope for Edge yet.