🔐 Google says Chrome Device Bound Session Credentials is now generally available and rolling out to all users to prevent account takeovers by cryptographically binding session cookies to a specific device. 🛡️ Google says DBSC will be enabled by default for all Google Workspace customers upon rollout and administrators cannot disable it. ➡️ https://lnkd.in/ep6pqNPV #GoogleChrome #GoogleWorkspace #MFA #cybersecurity
PhishU did a blog on this just today to educate the community on just which session-stealing techniques this protects against, and which they do not: https://phishu.net/blogs/blog-device-bound-session-credentials-dbsc-and-aitm-phishing.html
This has been quietly rolling out for Windows with OSX support to follow soon. This will be great for preventing Session Hijacking for XSS attacks (arguably the biggest threat XSS poses), but won't do anything for phishing (AiTM) since the "device" bound to the captured sessions IS the AiTM proxy. Overall a good move in the right direction for AppSec!!