Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
Summary
Hide ▲
Show ▼
Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, binding sessions to device hardware to blunt infostealer malware that steals session cookies. The change reduces the value of exfiltrated cookies because the protected session depends on a non-exportable key stored on the machine's TPM. Google says a future Chrome release will extend the protection to macOS.
Related Happenings
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Timeline
-
09.04.2026 21:33 2 articles · 1mo ago
Chrome 146 rolls out DBSC for Windows
Initial DisclosureGoogle rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to blunt infostealer malware that harvests session cookies, binding each session to hardware-backed keys on the Trusted Platform Module (TPM) so exfiltrated cookies become unusable quickly. Google also said a future Chrome release will extend DBSC to macOS, and a year of testing with platforms including Okta showed a notable decline in session theft events.
Show sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58