Your Cookies Were Stolen? Congratulations to the Hacker on a Useless Prize
Chrome finally ties cookies to hardware.
Chrome finally ties cookies to hardware.
Google is pushing the boundaries of browser security with the public beta launch of Device Bound Session Credentials (DBSC) — a feature designed to protect users from session cookie theft. Initially introduced as a prototype in April 2024, the system is now available in Chrome for Windows and binds authentication sessions to a specific device. This means that even if a hacker steals your cookies, they won’t work on any other machine.
According to the head of product management for Google Workspace, DBSC enhances post-login protection by blocking remote reuse of session cookies from unauthorized devices. This binding strengthens session integrity and ensures that account protection extends not only at login but throughout the entire session.
Alongside DBSC, Google announced expanded support for passkeys, now available to over 11 million Google Workspace enterprise clients. New administrative tools have also been introduced, allowing organizations to manage passkey registration and restrict usage to hardware tokens only.
In parallel, Google is testing a new security signaling mechanism: the Shared Signals Framework (SSF). Based on the OpenID standard, SSF allows different services to share threat signals in real-time. With this architecture, one service (the "sender") can alert another (the "receiver") about suspicious behavior, enabling rapid threat response and synchronized defense mechanisms.
Google’s Project Zero team, known for discovering zero-day vulnerabilities, has also launched a Reporting Transparency pilot initiative. Its goal is to shorten the time between a fix being created and its delivery to end users. Often, delays arise not from users themselves but from vendors integrating external components — who may lag behind in applying fixes. Under this new disclosure process, information about a vulnerability will be made public within a week of reporting it to the vendor.
Future reports will include:
- the vendor or project name
- the product affected
- the report submission date
- and the 90-day disclosure deadline
The pilot already includes:
- two Windows vulnerabilities
- a flaw in the Dolby Unified Decoder
- and three bugs in the Google BigWave project.
Google also intends to apply this approach to Project Big Sleep, an experimental AI tool developed with DeepMind. Its purpose is to automate vulnerability discovery and accelerate threat analysis. The company emphasizes that no technical details, proof-of-concept code, or exploitable materials will be released before the disclosure window expires.
Altogether, these initiatives reflect Google’s broader cybersecurity strategy: a shift toward proactive, coordinated, and technologically advanced defense models, focused on minimizing incident response time and increasing transparency across the software ecosystem.
