Google Chrome 146 Introduces Device‑Bound Session Credentials to Thwart Infostealer Cookie Theft
What Happened — Google released Chrome 146 with a new “Device‑Bound Session Credentials” (DBSC) feature that ties session cookies to the hardware key of the Windows machine, rendering stolen cookies unusable on other devices. The change directly disrupts credential‑stealing malware that relies on cookie replay.
Why It Matters for TPRM —
- Reduces the risk of credential‑theft attacks that can compromise downstream SaaS providers.
- Lowers the likelihood of data‑exfiltration via compromised browser sessions, a common supply‑chain vector.
- Forces threat actors to adapt, buying time for organizations to strengthen endpoint controls.
Who Is Affected — Enterprises across all sectors that rely on Google Chrome on Windows workstations, especially those using cloud‑based SaaS applications (CRM, ERP, collaboration tools).
Recommended Actions —
- Deploy Chrome 146 (or later) to all Windows endpoints immediately.
- Verify that endpoint protection solutions can detect and block infostealer families.
- Review third‑party SaaS access logs for anomalous session activity during the rollout window.
Technical Notes — DBSC leverages hardware‑based keys (TPM/Windows Hello) to bind session credentials to the originating device, preventing cookie replay attacks. No CVE is associated; the change is a proactive mitigation. Source: HackRead