Chrome 146 introduces Device Bound Session Credentials to mitigate session cookie theft via infostealers
Summary
Hide ▲
Show ▼
Google Chrome 146 for Windows introduces Device Bound Session Credentials (DBSC) to prevent infostealer malware from harvesting and exploiting session cookies. The feature cryptographically binds user sessions to hardware security chips—TPM on Windows and Secure Enclave on macOS—ensuring session data cannot be exported or reused by attackers. DBSC enforces short-lived session cookies validated through possession of a unique private key stored on-device, rendering exfiltrated cookies immediately unusable. This mitigation targets the rising sophistication of infostealer families such as LummaC2, which increasingly target session cookies to bypass authentication mechanisms.
Timeline
-
09.04.2026 21:33 1 articles · 1h ago
DBSC protection rolled out in Chrome 146 for Windows to counter infostealer-based session cookie theft
Google Chrome 146 for Windows deploys Device Bound Session Credentials (DBSC) to prevent infostealing malware from harvesting and reusing session cookies. The feature cryptographically binds session credentials to the device’s security chip (TPM), ensuring private keys cannot be exported. Session validation requires proof-of-possession of the on-device private key, causing any exfiltrated cookies to expire immediately. This addresses the growing abuse of session tokens by infostealer families such as LummaC2.
Show sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
Information Snippets
-
Chrome 146 for Windows includes Device Bound Session Credentials (DBSC) to block session cookie theft by infostealers.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
-
DBSC links session credentials to hardware security chips (TPM on Windows, Secure Enclave on macOS), preventing private key export.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
-
Session cookies are cryptographically validated via on-device private key possession; exfiltrated cookies expire and become unusable without the key.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
-
Infostealer malware families like LummaC2 have grown more adept at harvesting session cookies for account takeover.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
-
DBSC was developed in partnership with Microsoft as an open web standard and tested with industry partners including Okta.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
-
Websites can adopt DBSC by integrating dedicated registration and refresh endpoints without breaking frontend compatibility.
First reported: 09.04.2026 21:331 source, 1 articleShow sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33