Google Chrome Rolls Out Device-Bound Session Credentials to Combat Cookie-Stealing Malware

Google has launched a new security feature in Chrome 146 for Windows that cryptographically binds login cookies to a device's hardware, making stolen session tokens useless to remote attackers. The feature, called Device Bound Session Credentials (DBSC), directly addresses the type of attack that compromised Linus Tech Tips and numerous other high-profile accounts.

The Problem: Session Token Theft

Cookie-stealing malware has seen an "exponential rise" over the past two years, according to Google. Attackers trick victims into downloading malicious files — often disguised as brand sponsorship offers or software updates — that exfiltrate session cookies to remote servers. These stolen cookies allow attackers to bypass two-factor authentication entirely, since the theft occurs after the user has already authenticated.

How DBSC Works

• Cryptographically binds Workspace session cookies to the device's hardware
• Stolen cookies become useless on any other machine
• Currently rolling out in beta for Chrome 146 on Windows
• macOS support coming soon

Real-World Impact

• Linus Tech Tips (2023): Channel hijacked after employee downloaded fake sponsorship PDF containing cookie-stealing malware
• Chrome extensions (2024): Multiple extensions hijacked to inject token-stealing code
• YouTube creators (2026): YouTube issued fresh warnings about similar phishing schemes targeting creators with phony brand deals

Industry Adoption

Okta has expressed interest in the concept, and Microsoft Edge is also exploring similar approaches. Google recommends Workspace administrators also enable passkeys, now available to over 11 million customers.

This represents a fundamental shift in session security — moving from software-only protections to hardware-bound authentication that survives malware infection.