Google has made Device Bound Session Credentials (DBSC) generally available to Windows users on Chrome 146, with macOS expansion planned in a future release. DBSC uses hardware-backed keys (TPM on Windows and Secure Enclave on macOS) to bind short-lived session cookies to a device, preventing stolen cookies—harvested by stealers like Atomic, Lumma, and Vidar Stealer—from being reused. #DBSC #VidarStealer
Keypoints
- DBSC is now generally available to Windows users on Chrome 146, with macOS support coming soon.
- The feature binds session cookies to device-specific hardware-backed keys (TPM/Secure Enclave) to stop cookie reuse.
- Session theft—often carried out by stealer families such as Atomic, Lumma, and Vidar Stealer—is the threat DBSC targets.
- If secure key storage is unavailable on a device, DBSC falls back to standard cookie behavior to avoid breaking authentication.
- Google reports a significant reduction in session theft during testing and plans broader rollout and enterprise integration.
Read More: https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html