Chrome stops hackers from stealing your browser cookies now - how its new security feature works

2026-06-01 · Source: News and Advice on the World's Latest Innovations | ZDNET · Field: Technology & Digital — Cybersecurity & Data Privacy · Depth: Novice, quick

Summary

Google Chrome has rolled out a new security feature called Device Bound Session Credentials (DBSC) to combat cookie hijacking attacks. This feature, now generally available in Chrome for Windows and enabled by default for all Google Workspace and personal Google accounts, prevents hackers from using stolen browser cookies to impersonate users. DBSC works by cryptographically binding browser sessions and cookies to the user's device-specific security chip, such as the Trusted Platform Module (TPM) on Windows PCs or the Secure Enclave on Macs. Even if malware steals cookies, they become unusable on a different device, significantly reducing the risk of session theft and unauthorized account access without multi-factor authentication. Users need Chrome version 146 or later on Windows or 148 or later on Mac for this automatic protection.

Key takeaway

For any user concerned about account security and the risk of session hijacking, Chrome's new Device Bound Session Credentials (DBSC) feature significantly enhances protection. You should ensure your Chrome browser is updated to version 146 or later on Windows, or 148 or later on Mac. This automatically enabled, hardware-backed security measure ties your login sessions to your specific device, making stolen cookies useless to attackers and bolstering your defense against unauthorized account takeovers.

Key insights

Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.

Principles

• Session cookies are vulnerable to hijacking for account impersonation.
• Hardware-backed security chips enhance session integrity.
• Device-bound credentials prevent stolen cookie reuse.

Method

DBSC binds session cookies to the device's security chip (TPM/Secure Enclave) during authentication, rendering them unusable if accessed from another machine.

In practice

• Ensure Chrome is version 146+ (Windows) or 148+ (Mac).
• DBSC is automatically enabled for Google accounts.

Topics

• Device Bound Session Credentials
• Cookie Theft Prevention
• Hardware Security Module
• Google Chrome
• Account Security
• Trusted Platform Module

Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, IT Professional, General Interest

Related on AIssential

• Trump administration to ask US AI firms to voluntarily submit models for cybersecurity tests — The U.S. government seeks voluntary AI model cybersecurity testing from firms like OpenAI and Google via CAISI.
• Anthropic scales Project Glasswing to 150 partners across 15 countries to hunt critical software flaws — AI models like Claude Mythos can rapidly identify critical software vulnerabilities, posing both defensive and offensive capabilities.
• Your JWT Is Lying to You - The Authorization Problem Nobody Solves Correctly — JWTs alone are insufficient for dynamic, fine-grained authorization; external policy engines are essential for scalable security.
• Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email — Meta's AI support chatbot was exploited via prompt injection to hijack Instagram accounts, bypassing 2FA and automated identity checks.
• Reference your own AWS Secrets Manager secrets in Amazon Bedrock AgentCore Identity — Amazon Bedrock AgentCore Identity now allows referencing existing AWS Secrets Manager secrets for enhanced credential governance.
• A Three-Minute Protocol to Reduce AI Manipulation Risk — The "Think First, Verify Always" (TFVA) protocol significantly reduces AI manipulation risk by fostering independent judgment and verification.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.