Chrome now protects you from hackers who steal browser cookies - how it works

Lance Whitney/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Hackers tin bargain your browser cookies to impersonate you.
• A information diagnostic successful Chrome aims to forestall specified attacks.
• The diagnostic ties your cookies to your device's ain information chip.

Browser cookies store your login sessions and website preferences truthful that you tin usage your favourite sites much easy and seamlessly. But cookies tin besides beryllium turned against you by savvy hackers who hijack them and usage them to impersonate you connected their ain devices. A caller information diagnostic present rolling retired successful Chrome aims to forestall this benignant of threat.

Also: Half of each cyberattacks commencement successful your browser: 10 indispensable tips for staying safe

As described successful a caller blog station from Google, the anti-theft diagnostic Device Bound Session Credentials (DBSC) is present disposable successful Chrome for Windows. Enabled by default for each Google Workspace and idiosyncratic Google accounts, this 1 is geared for some user and endeavor Chrome users.

How does this work?

How this information diagnostic works connected your PC and Mac

In a emblematic cookie-hijacking attack, a hacker uses definite malware to remotely bargain your browser cookies. By extracting the passwords and different delicate information from those cookies, they tin motion successful to your associated accounts connected their ain devices. And they tin bash this without having to grapple with immoderate multi-factor authentication codes that would different effort to verify your identity.

With DBSC activated, your browser sessions and cookies are tied to your computer's built-in information chip. On astir Windows PCs, this is the Trusted Platform Module (TPM). On a Mac, this is the Secure Enclave. Even if a hacker steals your browser cookies, they can't usage them connected their ain devices since those cookies are inactive linked to your ain machine and can't beryllium applied elsewhere.

"DBSC strengthens relationship information aft users are logged successful and helps hindrance a league cooky -- tiny files utilized by websites to retrieve idiosyncratic accusation -- to the instrumentality a idiosyncratic authenticated from," Google explained successful its blog post. "Even if malware was contiguous connected the user's device, DBSC reduces the hazard of league theft and makes it meaningfully much hard for malicious actors to exploit stolen league cookies."

Also: The champion unafraid browsers for privacy: Expert tested

Google first began processing DBSC successful 2024 to support Chrome users from cookie-hijacking attacks astatine location and successful the workplace. In 2025, the institution rolled retired DBSC arsenic an unfastened beta for Google Workspace customers. Previously, IT admins had to activate this extortion for Chrome users astatine their organizations. But now, the diagnostic is automatically enabled, not conscionable for endeavor customers but for those with idiosyncratic Google accounts.

Since the diagnostic is automatically turned on, there's nary power oregon mounting you request to control. Just marque definite you're moving Chrome mentation 146 oregon aboriginal successful Windows and mentation 148 oregon aboriginal connected a Mac. To update the browser successful either OS, click the three-dot icon astatine the precocious right, determination to Help, and prime About Google Chrome. The latest mentation volition beryllium downloaded automatically. Just restart the browser for it to instrumentality effect.