Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
First reported
Last updated
Happening score
H score 11
2 unique sources, 2 articles

Summary

Hide ▲

Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, binding sessions to device hardware to blunt infostealer malware that steals session cookies. The change reduces the value of exfiltrated cookies because the protected session depends on a non-exportable key stored on the machine's TPM. Google says a future Chrome release will extend the protection to macOS.

Related Happenings

Google Chrome 149 security update

Security Patch Release
H score28 First: 12.06.2026 12:27 Last: 12.06.2026 12:27 Sources 1

About this happening: Google rolled out **Chrome 149** for **Windows, macOS, and Linux**, resolving **28 critical and high-severity vulnerabilities**. The update reduces risk from browser compromise, m...

FROST browser SSD timing side channel via OPFS

Technical Analysis
H score16 First: 09.06.2026 12:50 Last: 09.06.2026 12:50 Sources 1

About this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...

Google Chrome DBSC rolls out session-cookie theft protection for all users

Security Tool/Service
H score10 First: 29.05.2026 15:08 Last: 29.05.2026 15:08 Sources 1

About this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
H score16 First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Microsoft Edge stops loading saved passwords into cleartext memory at startup

Security Tool/Service
H score10 First: 15.05.2026 17:49 Last: 15.05.2026 17:49 Sources 1

About this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...

Timeline

  1. 09.04.2026 21:33 2 articles · 3mo ago

    Chrome 146 rolls out DBSC for Windows

    Initial Disclosure

    Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to blunt infostealer malware that harvests session cookies, binding each session to hardware-backed keys on the Trusted Platform Module (TPM) so exfiltrated cookies become unusable quickly. Google also said a future Chrome release will extend DBSC to macOS, and a year of testing with platforms including Okta showed a notable decline in session theft events.

    Show sources