Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows
Google كتزير السيكوريتي ديال Chrome: ميزة DBSC دابا متاحة للجميع باش تحارب سرقة الـ Sessions على Windows
Google Strengthens Chrome Security: DBSC Now Generally Available to Combat Session Theft on Windows
TL;DR
Google has officially released Device Bound Session Credentials (DBSC) for Chrome 146 on Windows. This security feature cryptographically ties session cookies to specific hardware, rendering stolen cookies useless to attackers and effectively neutralizing a primary vector for account takeovers.
The End of Cookie Theft?
In a major move to bolster web security, Google has announced the general availability of Device Bound Session Credentials (DBSC) for all Windows users running Chrome 146. This release follows months of open beta testing and represents a critical milestone in the fight against session hijacking.
"This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape," stated Google's Chrome and Account Security teams.
Understanding the Threat: How Session Theft Works
Traditional session cookies are often the "keys to the kingdom." When a user logs into a website, a cookie is stored in the browser to maintain the session. However, if a user inadvertently downloads "infostealer" malware—such as Atomic, Lumma, or Vidar Stealer—attackers can exfiltrate these cookies to their own servers.
Because many session cookies have long lifespans, attackers can use them to bypass passwords and Multi-Factor Authentication (MFA) entirely. These stolen tokens are often packaged and sold on the dark web, allowing other cybercriminals to launch follow-up attacks.
How DBSC Neutralizes Malware
DBSC changes the fundamental way sessions are authenticated by cryptographically "binding" the session to the physical device.
The tech works by leveraging hardware-backed security modules:
- Windows: Uses the Trusted Platform Module (TPM).
- macOS: Will use the Secure Enclave (planned for a future release).
The Mechanism:
- Chrome generates a unique public/private key pair that is stored securely on the hardware and cannot be exported.
- The server issues short-lived session cookies.
- To receive a new cookie, Chrome must prove it possesses the private key.
- If an attacker steals a cookie, they cannot provide the hardware-locked private key, causing the stolen session to expire almost immediately.
If a device does not support secure key storage, Google notes that DBSC will "gracefully fall back" to standard behavior to ensure the user's login process isn't interrupted.
Privacy by Design
A common concern with device-level tracking is user privacy. Google emphasized that DBSC was designed with Microsoft to be an open web standard that prioritizes anonymity:
- No Cross-Site Tracking: Each session uses a distinct key, preventing websites from correlating user activity across different sites.
- Minimal Data Leakage: The protocol does not share device identifiers or attestation data beyond the public key.
- Anti-Fingerprinting: The architecture ensures DBSC cannot be used as a mechanism for device fingerprinting.
What’s Next?
While currently limited to Windows users on Chrome 146, Google has confirmed that macOS support is coming soon in an upcoming release. The company has already reported a "significant reduction" in session theft during the early phases of the rollout.
Looking ahead, Google plans to expand DBSC to more devices and introduce advanced features specifically designed for enterprise environments to enhance corporate security postures.
Source: The Hacker News - Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows
