HomeIntelligenceBrief
BREACH BRIEF⚪ Informational Advisory

Chrome Deploys Device‑Bound Session Credentials to Block Cookie‑Hijacking on Windows

Google Chrome now ships Device Bound Session Credentials (DBSC) for Windows, binding session cookies to the device’s TPM or Secure Enclave. This stops attackers from reusing stolen cookies on other machines, reducing credential‑theft risk for all enterprises that rely on Chrome for web access.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 zdnet.com
Severity
Informational
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
zdnet.com

Chrome Deploys Device‑Bound Session Credentials to Block Cookie‑Hijacking Across Windows Users

What Happened — Google Chrome has begun rolling out a new security feature called Device Bound Session Credentials (DBSC) for all Windows users. DBSC cryptographically ties session cookies to the device’s built‑in security chip (TPM on Windows, Secure Enclave on macOS), rendering stolen cookies unusable on any other machine.

Why It Matters for TPRM

  • Cookie‑theft is a common initial‑access technique; compromised sessions can bypass MFA and give attackers unfettered access to SaaS applications.
  • The mitigation is delivered at the browser layer, meaning every downstream vendor that relies on Chrome‑based authentication inherits this protection.
  • Organizations that have not yet enforced DBSC may face higher residual risk from credential‑theft attacks originating in the browser.

Who Is Affected — All enterprises that allow employees or customers to use Chrome on Windows or macOS, spanning technology, finance, healthcare, retail, and government sectors.

Recommended Actions

  • Verify that DBSC is enabled by default across your Chrome fleet; enforce via GPO or endpoint management if needed.
  • Update internal security policies to reference browser‑session protection as a control for credential‑theft mitigation.
  • Communicate the change to SaaS vendors and confirm they recognize DBSC‑bound sessions in their authentication logs.

Technical Notes — Cookie‑hijacking attacks typically rely on malware or phishing to exfiltrate session cookies, then replay them on an attacker‑controlled device. DBSC binds each cookie to the device’s TPM (or Secure Enclave) using hardware‑rooted keys, so replay attempts fail. No CVE is involved; this is a proactive hardening feature. Source: ZDNet Security

📰 Original Source
https://www.zdnet.com/article/chrome-protects-hackers-steal-browser-cookies/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →