Google has introduced Device-Bound Session Credentials (DBSC) to block malware from stealing session cookies and bypassing two-factor authentication.
This security update addresses a critical vulnerability used by infostealers to hijack active user sessions. By binding cookies to a specific device, Google aims to prevent attackers from using stolen credentials on different hardware to gain unauthorized account access.
The DBSC feature was initially launched in April 2024 [1]. While early deployment focused on Windows devices [2], the protection is now rolling out to all users across different platforms [3].
Infostealer malware typically targets session cookies, which are small files that keep a user logged into a website after they have provided their password and two-factor authentication code. If a hacker steals these cookies, they can impersonate the user without needing the original login credentials or the second-factor token.
Google's new system ensures that the session cookie is cryptographically bound to the hardware of the device that created it [3]. If a cookie is moved to a different machine, the server will recognize that the device does not match the credential and will deny access [3].
This shift moves the security burden from the user to the browser and the server. Previously, users relied on changing passwords, or clearing cookies, after a suspected breach. Now, the browser prevents the stolen cookie from being functional on any other device [3].
Industry reports indicate that this rollout is part of a broader effort to neutralize the effectiveness of session hijacking. By making cookie theft pointless, Google reduces the risk of account takeovers even when a device is infected with malware [3].
“Google has introduced Device-Bound Session Credentials (DBSC) to block malware from stealing session cookies.”
The implementation of DBSC represents a shift toward hardware-backed security for web sessions. By neutralizing the portability of session cookies, Google is effectively removing the primary incentive for infostealer malware to target these tokens, forcing attackers to find more complex ways to bypass two-factor authentication.
'%2F%3E%0A%20%20%20%20%3Crect%20width%3D'1600'%20height%3D'900'%20fill%3D'url(%23v)'%2F%3E%0A%20%20%20%20%3Cg%20opacity%3D'0.08'%20fill%3D'%23ffffff'%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1420'%20cy%3D'180'%20r%3D'220'%2F%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1500'%20cy%3D'760'%20r%3D'120'%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%20%20%20%20%3Cline%20x1%3D'80'%20y1%3D'172'%20x2%3D'220'%20y2%3D'172'%20stroke%3D'%23ffffff'%20stroke-width%3D'3'%20stroke-opacity%3D'0.6'%2F%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'140'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'700'%20font-size%3D'28'%20fill%3D'%23ffffff'%20letter-spacing%3D'6'%3EHANNA%20%C2%B7%20NEWS%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'230'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'600'%20font-size%3D'40'%20fill%3D'%23ffffffb3'%20letter-spacing%3D'4'%3ETECH%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'622'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3ERedMagic%20Unveils%2011S%20Pro%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'721'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EGaming%20Phone%20With%20Active%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'820'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3ELiquid%20Cooling%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'870'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'500'%20font-size%3D'22'%20fill%3D'%23ffffff66'%20letter-spacing%3D'2'%3Enews.hanna-ai.com%3C%2Ftext%3E%0A%20%20%3C%2Fsvg%3E)
