Google Chrome Introduces Device‑Bound Session Credentials to Block Infostealer Cookie Theft
What Happened – Google released Device‑Bound Session Credentials (DBSC) in Chrome 146 for Windows, cryptographically tying each session cookie to the device’s TPM (or Secure Enclave on macOS in a future release). The binding renders stolen session cookies unusable because the private key never leaves the hardware.
Why It Matters for TPRM –
- Reduces the attack surface for credential‑theft malware that targets browsers on employee workstations.
- Alters the risk profile of SaaS applications that rely on browser‑based session authentication.
- Demonstrates a proactive security control from a critical third‑party (browser vendor), influencing vendor risk assessments.
Who Is Affected – All organizations that allow employees to browse the web with Google Chrome, across every industry; especially enterprises with remote or hybrid workforces.
Recommended Actions –
- Ensure Chrome is updated to version 146 (or later) on all Windows endpoints; plan for the macOS rollout.
- Re‑evaluate authentication controls (e.g., enforce MFA) knowing session cookies are now hardware‑bound.
- Update third‑party risk questionnaires to capture Chrome’s DBSC protection as a security control.
Technical Notes – The DBSC protocol uses per‑session public/private key pairs generated by the device’s TPM or Secure Enclave. Session cookies are encrypted with the private key; without proof of key possession, the server refuses to honor the cookie. No CVE is associated; the mitigation targets infostealer families such as LummaC2. Source: BleepingComputer