Browser cookies store your sessions and preferences for the pages you visit, so you can use them more easily and seamlessly. However, cookies can also be used against you by hackers who obtain them and use them to impersonate you on their own devices. 
A new security feature rolling out to Chrome aims to prevent this type of attack.
As described in a new post on Google's blog, the Device Bound Session Credentials (DBSC) theft protection feature is available in Chrome for Windows. It is enabled by default for all Google Workspace accounts as well as personal Google accounts, as this feature is intended for both consumers and businesses.
How does it work;
In a typical cookie-stealing attack, a hacker uses specific malware to remotely steal your browser cookies. By extracting passwords and other sensitive data from those cookies, they can log in to your accounts from their own devices. And they can do it without having to use multi-factor authentication codes.
With DBSC enabled, your browser sessions and cookies are tied to your computer's built-in security chip. On most Windows computers, this is the Trusted Platform Module (TPM). On Mac systems, it's the Secure Enclave. Even if a hacker steals your browser cookies, they won't be able to use them on their own devices, as those cookies are still tied to your own computer and can't be applied elsewhere.
“DBSC strengthens account security after users sign in and helps bind a session cookie — small files used by websites to remember user information — to the device from which a user authenticated,” Google said in its post. “Even if malware is present on the user’s device, DBSC reduces the risk of session theft and makes it significantly more difficult for malicious users to exploit stolen session cookies.”
Google first began developing DBSC in 2024 to protect Chrome users from cookie-spoofing attacks. In 2025, the company released DBSC as an open beta for Google Workspace customers. Previously, IT administrators had to enable this protection for Chrome users in their organizations. But now the feature is automatically enabled, not only for enterprise customers but also for those with personal Google accounts.
Since the feature is enabled automatically, you don't have to do anything. Just make sure you're running Chrome 146 or later on Windows and version 148 or newer on Mac.
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
