Google Chrome Deploys Device‑Bound Session Credentials to Block Cookie‑Theft Attacks
What Happened – Google Chrome has made the Device Bound Session Credentials (DBSC) feature generally available. DBSC cryptographically binds session cookies to a device’s hardware security module (TPM on Windows, Secure Enclave on macOS), preventing attackers from re‑using stolen cookies to bypass MFA. The rollout is automatic for all Google Workspace and personal accounts and cannot be disabled by administrators.
Why It Matters for TPRM
- Reduces the likelihood of credential compromise via session‑cookie theft for any SaaS accessed through Chrome.
- Improves the security posture of vendors that rely on Chrome for web‑based admin consoles and client portals.
- Signals that third‑party risk questionnaires should capture browser‑level mitigations like DBSC.
Who Is Affected – All industries that use Google Chrome for web access, especially SaaS, cloud‑based, and enterprise web applications.
Recommended Actions –
- Verify that Chrome is enforced as the default browser and kept up‑to‑date across your organization.
- Update internal security baselines to require DBSC‑enabled browsers for accessing sensitive SaaS platforms.
- Test critical internal web apps for compatibility with DBSC and document any exceptions.
Technical Notes – DBSC mitigates stolen‑session‑cookie attacks (often delivered via malware or phishing) by using device‑specific public/private keys generated in the TPM or Secure Enclave. No CVE is associated; the protection is a proactive cryptographic binding of authentication tokens. Source: BleepingComputer