Google says Chrome Device Bound Session Credentials (DBSC) is now generally available and rolling out to protect Google accounts from takeover by binding session cookies to a specific device. The feature makes stolen cookies far less useful to attackers, including groups behind Lumma and Rhadamanthys, because the required cryptographic keys stay tied to the device’s security hardware. #Chrome #DBSC #GoogleWorkspace #Lumma #Rhadamanthys
Keypoints
- DBSC is now generally available and rolling out to all users.
- It cryptographically binds session cookies to a specific device.
- The feature relies on hardware such as TPM and Secure Enclave.
- Stolen cookies cannot be used without the device’s cryptographic keys.
- DBSC is enabled by default for Google Workspace customers and cannot be disabled by administrators.