Google has officially launched the open beta of Device Bound Session Credentials DBSC for Chrome on Windows. This feature is designed to prevent session hijacking by tying session cookies to a specific device. DBSC was first announced as a prototype in early 2024, and after months of development and testing, it is now available for wider use.
Normally, cookies are small files that keep you signed in to your accounts, but they can be stolen by malware. Once stolen, attackers can reuse them on another machine to access your account without needing your password. DBSC solves this problem by making sure those cookies only work on the original device. Even if an attacker manages to steal them, they would be useless on any other device.
Google says that DBSC works silently in the background without affecting the user’s experience. The idea is to provide strong protection without disrupting how users interact with Chrome. This move is especially important for businesses and high-value targets, where cookie theft has been a serious concern for years. With DBSC, Google is aiming to stop one of the most common post-login attack methods.
In addition to DBSC, Google is also making big improvements in how it handles vulnerabilities through its internal team, Project Zero. The new policy introduced by Project Zero focuses on transparency in vulnerability reporting. One major change is that the team will now publicly share when and to whom a vulnerability was reported, what product it affects, and when the 90-day disclosure deadline ends. This will be done within one week of reporting the issue.
The change is aimed at solving what Google calls the “upstream patch gap.” This refers to the time between when a vulnerability is fixed by the original developer and when the update actually reaches the end users. Sometimes, fixes sit idle for weeks or months before they are pushed out in updates. Project Zero wants to close this gap by alerting downstream vendors and partners earlier in the process.
While more information will be shared sooner, Google will still withhold technical details until the 90-day deadline passes. That means no proof-of-concept code or detailed descriptions will be published right away. The goal is to give security teams enough time to prepare while keeping attackers in the dark until users are protected.
Along with DBSC, Google also announced that passkey support is now live for over 11 million Google Workspace users. This allows people to log in using biometrics or hardware keys instead of passwords. Admins now have more control over how passkeys are used in their organizations, including options to limit passkey registration to only physical security keys.
Google is also experimenting with something called the Shared Signals Framework (SSF), currently in closed beta. This will let trusted partners share real-time security data, like device or session information, using an open standard. It is designed to help companies detect and respond to threats faster across platforms.
Both DBSC and Project Zero’s new policy show Google’s serious approach to modern cybersecurity. By locking session cookies to devices and making vulnerability timelines more transparent, the company is tackling both prevention and response at the same time. These efforts aim to strengthen trust with users and reduce the success rate of advanced attacks.
These updates reflect a growing trend where big tech companies are focusing more on proactive security. With rising threats and more sophisticated attackers, features like DBSC and early disclosure policies could soon become industry standards. Google’s latest steps show that the future of cybersecurity lies in both smarter protections and more open communication.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
