Google Workspace is rolling out a security update to stop token stealing attacks

Google Workspace is launching a caller information measurement to assistance forestall the aforesaid benignant of relationship takeover onslaught that impacted Linus Tech Tips. The feature, which is rolling retired successful beta for Chrome users connected Windows, is designed to artifact atrocious actors from remotely stealing the cookies that support you logged into your Workspace account.

Google calls the diagnostic Device Bound Session Credentials (DBSC), and it does precisely what its sanction suggests: it protects users’ Workspace accounts by binding league cookies, the impermanent files that websites usage to retrieve idiosyncratic information, to their devices.

That makes it much hard for attackers to transportation retired league token-stealing attacks, which often hap erstwhile a unfortunate downloads information-stealing malware. From there, atrocious actors tin exfiltrate a victim’s login credentials to a distant server, allowing them to motion into their relationship from different instrumentality oregon merchantability their credentials.

“Because this theft occurs aft a idiosyncratic has logged in, it bypasses galore existing relationship protections similar 2FA [two-factor authentication],” Google spokesperson Ross Richendrfer tells The Verge. “Existing protections for this benignant of onslaught aren’t precise mature, truthful it’s low-hanging effect for attackers.”

In 2023, a atrocious histrion took implicit the YouTube transmission for Linus Tech Tips, on with 2 different Linus Media Group accounts, aft an worker downloaded a fake sponsorship connection record containing cookie-stealing malware. This week, YouTube issued a warning astir a akin scam involving creators downloading phony marque deals. YouTube isn’t the lone level that we’ve seen impacted by cookie-stealing, either, arsenic hackers hijacked respective Chrome extensions past year, adding malware that exfiltrates league tokens for immoderate websites.

Google says there’s been an “exponential rise” successful cooky and authentication token theft implicit the past mates of years, and that this “trend has lone intensified successful 2025.” The institution began working connected DBSC past year, and said the verification level Okta, arsenic good arsenic browsers similar Microsoft Edge, person “expressed interest” successful the concept. Along with DBSC, Google recommends that Workspace administrators alteration passkeys arsenic well, which is present disposable to implicit 11 cardinal customers.