Google Chrome Adding Protection Against Cookie-Stealing Malware

Google announced on their security blog that Device Bound Session Credentials (DBSC), a protection against session theft, are shipping for Windows users on Chrome 146.

When you log in to an account on your browser, a session cookie is stored that authenticates you with that service until you log out or the cookie expires.

Since cookies are just data stored locally on your machine, malware running locally can extract them and allow an attacker to get into your accounts without ever needing your password.

Entire strains of infostealer malware exist to do just that. For example, the LummaC2 family of malware was used to infiltrate and harvest data including these session cookies from organizations from 2023 to 2025.

Google says there’s “no reliable way to prevent cookie exfiltration using software alone on any operating system.” The only previous way to combat this attack was to detect it using heuristics, which anyone who has gotten an alert when they try to buy something with their credit card knows can be flawed.

DBSC works using the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS; hardware-backed cryptographic modules designed to prevent keys from being extracted from the machine.

Even an attacker that fully compromises your operating system wouldn’t theoretically be able to extract these hardware-bound keys.

Short lived session cookies are issued after proving that you possess the correct private key to the server. Google says these cookies would quickly expire and become useless to an attacker.

Google says they noticed a significant reduction in session theft since they rolled out an early version of the feature over the last year.

With keys being tied to hardware, you might be concerned that sites you log in to could link your sessions together. Fortunately, the feature was designed with privacy in mind:

Each session is backed by a distinct key, preventing websites from using these credentials to correlate a user's activity across different sessions or sites on the same device. Furthermore, the protocol is designed to be lean: it does not leak device identifiers or attestation data to the server beyond the per-session public key required to certify proof of possession. This minimal information exchange ensures DBSC helps secure sessions without enabling cross-site tracking or acting as a device fingerprinting mechanism.

DBSC is designed to be an open web standard via the W3C, which means if it gets finalized, we can start to see it in browsers other than Chrome.