HomeIntelligenceBrief
BREACH BRIEF🟢 Low Advisory

Google Chrome Deploys Device‑Bound Session Credentials to Block Cookie‑Theft Attacks

Google Chrome has rolled out Device Bound Session Credentials (DBSC) to all users, cryptographically tying session cookies to the device’s TPM or Secure Enclave. This prevents attackers from re‑using stolen cookies to bypass MFA, a key risk for any organization relying on web‑based SaaS platforms.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 bleepingcomputer.com
🟢
Severity
Low
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Google Chrome Deploys Device‑Bound Session Credentials to Block Cookie‑Theft Attacks

What Happened – Google Chrome has made the Device Bound Session Credentials (DBSC) feature generally available. DBSC cryptographically binds session cookies to a device’s hardware security module (TPM on Windows, Secure Enclave on macOS), preventing attackers from re‑using stolen cookies to bypass MFA. The rollout is automatic for all Google Workspace and personal accounts and cannot be disabled by administrators.

Why It Matters for TPRM

  • Reduces the likelihood of credential compromise via session‑cookie theft for any SaaS accessed through Chrome.
  • Improves the security posture of vendors that rely on Chrome for web‑based admin consoles and client portals.
  • Signals that third‑party risk questionnaires should capture browser‑level mitigations like DBSC.

Who Is Affected – All industries that use Google Chrome for web access, especially SaaS, cloud‑based, and enterprise web applications.

Recommended Actions

  • Verify that Chrome is enforced as the default browser and kept up‑to‑date across your organization.
  • Update internal security baselines to require DBSC‑enabled browsers for accessing sensitive SaaS platforms.
  • Test critical internal web apps for compatibility with DBSC and document any exceptions.

Technical Notes – DBSC mitigates stolen‑session‑cookie attacks (often delivered via malware or phishing) by using device‑specific public/private keys generated in the TPM or Secure Enclave. No CVE is associated; the protection is a proactive cryptographic binding of authentication tokens. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/google-chrome-adds-session-cookie-theft-protection-for-all-users/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →