Skip to main content
CybersecurityHacking

Google Deploys DBSC in Chrome to Thwart Windows Session Hijacking

Person sits in dimly lit room with multiple screens displaying ghostly windows, one laptop screen showing secure login…

When a major browser maker flips a security switch for millions of users, the question is simple and urgent: who benefits, and who still remains exposed? Google has announced that Device Bound Session Credentials (DBSC) are now generally available to Windows users of the Chrome browser — a move the company first tested in an open beta months ago.

What Google changed and where it applies

Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser. The public availability is currently limited to Windows users running Chrome 146. According to the company, expansion to macOS is planned in an upcoming Chrome release.

What DBSC is presented to do

The rollout centers on DBSC, which the announcement presents as a security feature intended to address session theft on Windows. The company first exposed the feature to the public in an open beta months before this wider release, and has now moved it to general availability for the specified Windows channel.

Why the rollout matters — perspectives to consider

  • For users: Making DBSC generally available on Windows means that Chrome installations on that platform using version 146 will receive a new security capability intended to mitigate session-theft risks. Users running an earlier or different release will not yet have the feature.

  • For technologists: The staged approach — open beta followed by limited-platform general availability — reflects a typical path for browser security features that need real-world testing before broader deployment. The announcement signals the company’s intent to extend the control to additional platforms, with macOS explicitly named for an upcoming release.

  • For policymakers and defenders: The availability of an additional browser-level credential control on a major platform is relevant to broader conversations about reducing account compromise vectors, particularly on Windows desktops. The change may be considered when assessing platform risk posture or when advising organizations on endpoint protections tied to browser authentication.

  • For adversaries: Any new defensive measure that narrows session-theft opportunities on a widely used browser may change the calculus for attackers who rely on session-based access. The announced limitation to Chrome 146 on Windows means adversaries and defenders alike have a clear, short-term boundary for where DBSC is active.

What to watch next

The immediate scope of the change is clear: Chrome 146 on Windows. The company plans to broaden availability to macOS in a future release, creating a near-term phasing that administrators, security teams, and individual users will want to track. Observers will likely watch for rollout notes, telemetry on adoption, and any follow-up detail from the company about how DBSC integrates into existing authentication flows.

As the feature moves beyond its beta origins and toward cross-platform availability, the practical question remains: will this incremental change materially narrow common avenues for session theft, and how quickly will users and organizations adopt the new protective setting? Only the next few releases — and the response of the wider ecosystem — will tell.

https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html