Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
Summary
Hide ▲
Show ▼
Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, binding sessions to device hardware to blunt infostealer malware that steals session cookies. The change reduces the value of exfiltrated cookies because the protected session depends on a non-exportable key stored on the machine's TPM. Google says a future Chrome release will extend the protection to macOS.
Related Happenings
Google Chrome 149 security update
Security Patch Release
H score28
First: 12.06.2026 12:27
Last: 12.06.2026 12:27
Sources 1
About this happening:
Google rolled out **Chrome 149** for **Windows, macOS, and Linux**, resolving **28 critical and high-severity vulnerabilities**. The update reduces risk from browser compromise, m...
Google Chrome 149 security update
Security Patch ReleaseAbout this happening: Google rolled out **Chrome 149** for **Windows, macOS, and Linux**, resolving **28 critical and high-severity vulnerabilities**. The update reduces risk from browser compromise, m...
FROST browser SSD timing side channel via OPFS
Technical Analysis
H score16
First: 09.06.2026 12:50
Last: 09.06.2026 12:50
Sources 1
About this happening:
**FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
FROST browser SSD timing side channel via OPFS
Technical AnalysisAbout this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
H score10
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Timeline
-
09.04.2026 21:33 2 articles · 3mo ago
Chrome 146 rolls out DBSC for Windows
Initial DisclosureGoogle rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to blunt infostealer malware that harvests session cookies, binding each session to hardware-backed keys on the Trusted Platform Module (TPM) so exfiltrated cookies become unusable quickly. Google also said a future Chrome release will extend DBSC to macOS, and a year of testing with platforms including Okta showed a notable decline in session theft events.
Show sources
- Google Chrome adds infostealer protection against session cookie theft — www.bleepingcomputer.com — 09.04.2026 21:33
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58