UMVA has learned that Google is unleashing a powerful new shield inside Chrome, designed to make stolen session cookies a thing of the past.
Even the most disciplined users—those who juggle unique passwords and two‑factor authentication—face a hidden danger: the invisible wristband that websites hand out, known as a session cookie. Once a hacker snatches that wristband, they can slip into your accounts without ever touching your password or 2FA code.
According to information obtained by UMVA, the breakthrough called Device Bound Session Credentials (DBSC) locks those wristbands deep inside the hardware security modules built into every modern PC and Mac. By storing session cookies in the Trusted Platform Module or Secure Enclave, only the chip itself holds the keys to unlock them.
This means that even if malware infiltrates your operating system, the malicious code hits a solid brick wall when it tries to pry open the encrypted vault where your login tokens hide. The hacker’s usual shortcut—stealing the cookie and impersonating you—now leads to a dead end.
Google has been quietly refining DBSC since early this year, testing it behind the scenes before rolling it out to virtually every Chrome user, from enterprise workspaces to personal accounts. The feature activates automatically in Chrome versions 146 and up on Windows, and 148 and up on macOS.
To make sure you’re protected, simply update Chrome to the latest release. Open the browser’s menu, select Help → About Google Chrome, and let the program fetch the newest version before relaunching.
With DBSC in place, the uphill battle that attackers face when targeting your online sessions grows dramatically steeper, turning a once‑fragile convenience into a fortified line of defense.