Google has announced that it’s making a security feature called Device Bound Session Credentials (DBSC) in open beta to ensure that users are safeguarded against session cookie theft attacks.
DBSC, first introduced as a prototype in April 2024, is designed to bind authentication sessions to a device so as to prevent threat actors from using stolen cookies to sign-in to victims’ accounts and gain unauthorized access from a separate device under their control.
“Available in the Chrome browser on Windows, DBSC strengthens security after you are logged in and helps bind a session cookie – small files used by websites to remember user information – to the device a user authenticated from,” Andy Wen, senior director of product management at Google Workspace, said.
DBSC is not only meant to secure user accounts post-authentication. It makes it a lot more difficult for bad actors to reuse session cookies and improves session integrity.
The company also noted that passkey support is now generally available to more than 11 million Google Workspace customers, along with expanded admin controls to audit enrollment and restrict passkeys to physical security keys.
Lastly, Google intends to roll out a shared signals framework (SSF) receiver in closed beta for select customers in order to enable the exchange of crucial security signals in near real-time using the OpenID standard.
“This framework acts as a robust system for ‘transmitters’ to promptly inform ‘receivers’ about significant events, facilitating a coordinated response to security threats,” Wen said.
“Beyond threat detection and response, signal sharing also allows for the general sharing of different properties, such as device or user information, further enhancing the overall security posture and collaborative defense mechanisms.”
Google Project Zero Unveils Reporting Transparency
The development comes as Google Project Zero, a security team within the company that’s tasked with hunting zero-day vulnerabilities, announced a new trial policy called Reporting Transparency to address what has been described as an upstream patch gap.
While patch gap typically refers to the time period between when a fix is released for a vulnerability and a user installs the appropriate update, upstream patch gap denotes the timespan where an upstream vendor has a fix available but downstream customers are yet to integrate the patch and ship it to end users.
To close this upstream patch app, Google said it’s adding a new step where it intends to publicly share the discovery of a vulnerability within a week of reporting it to the relevant vendor.
This information is expected to include the vendor or open-source project that received the report, the affected product, the date the report was filed, and when the 90-day disclosure deadline expires. The current list includes two Microsoft Windows bugs, one flaw in Dolby Unified Decoder, and three issues in Google BigWave.
“The primary goal of this trial is to shrink the upstream patch gap by increasing transparency,” Project Zero’s Tim Willis said. “By providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents. For our small set of issues, they will have an additional source of information to monitor for issues that may affect their users.”
Google further said it plans to apply this principle to Big Sleep, an artificial intelligence (AI) agent that was launched last year as part of a collaboration between DeepMind and Google Project Zero to augment vulnerability discovery.
The search behemoth also stressed that no technical details, proof-of-concept code, or any other information that could “materially assist” bad actors will be released until the deadline.
With the latest approach, Google Project Zero said it hopes to move the needle on releasing patches to the devices, systems, and services relied on by end users in a timely fashion and bolster the overall security ecosystem.
