DBSC deployment in Chrome 146 expands session cookie protection on Windows platforms
Summary
Hide ▲
Show ▼
Google has enabled Device Bound Session Credentials (DBSC) for all Windows users of Chrome 146, providing a cryptographic defense against session cookie theft by binding authentication sessions to hardware-backed security modules. The feature leverages Trusted Platform Module (TPM) on Windows to generate non-exportable public/private key pairs, ensuring stolen session cookies expire and become unusable to attackers. This deployment follows earlier testing phases and targets session theft, a prevalent threat facilitated by information-stealing malware such as Atomic, Lumma, and Vidar Stealer. Google reports a significant reduction in session theft incidents since DBSC’s introduction and plans further expansion to macOS and broader device support.
Timeline
-
10.04.2026 10:58 1 articles · 4h ago
DBSC enabled for Chrome 146 on Windows to block session cookie theft via hardware-bound authentication
DBSC is now generally available to all Windows users running Chrome 146, providing cryptographic session binding via hardware-backed keys in TPM to prevent the reuse of stolen session cookies. The feature requires proof of private key possession to issue new tokens, rendering exfiltrated cookies ineffective. Google reports early success in reducing session theft incidents and plans broader platform support and enterprise integration.
Show sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
Information Snippets
-
DBSC is now generally available to Windows users on Chrome 146, with macOS support planned for a future release.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
-
DBSC cryptographically binds session credentials to a device using hardware-backed security, such as TPM on Windows and Secure Enclave on macOS, generating non-exportable key pairs.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
-
Stolen session cookies protected by DBSC expire quickly and become unusable to attackers, as Chrome must prove possession of the corresponding private key to issue new short-lived tokens.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
-
In cases where secure key storage is unavailable, DBSC gracefully degrades to standard authentication behavior without disrupting user sessions.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
-
Session theft often involves malware such as Atomic, Lumma, and Vidar Stealer that harvest cookies for unauthorized account access or resale to other threat actors.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58
-
Google’s DBSC architecture is designed to minimize data exposure, using only per-session public keys for proof of possession and avoiding device identifiers or cross-site tracking.
First reported: 10.04.2026 10:581 source, 1 articleShow sources
- Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows — thehackernews.com — 10.04.2026 10:58