Google Deploys Device‑Bound Session Credentials in Chrome 146 to Block Session Hijacking on Windows
What Happened — Google has made Device‑Bound Session Credentials (DBSC) generally available to all Windows users of Chrome 146, extending a feature that was previously in open‑beta. DBSC ties a user’s authentication token to the specific device, preventing attackers from re‑using stolen session cookies on another machine.
Why It Matters for TPRM —
- Session‑theft attacks remain a top vector for credential‑stuffing and data‑exfiltration against SaaS applications.
- A browser‑level mitigation reduces the attack surface for any third‑party service that relies on Chrome for user access.
- Vendors that do not enforce up‑to‑date browsers may expose their customers to higher risk of credential compromise.
Who Is Affected — Enterprises across all sectors that use Chrome on Windows as the primary web client, especially those with SaaS, cloud‑hosted, or API‑driven services.
Recommended Actions —
- Verify that all corporate Windows endpoints are upgraded to Chrome 146 or later.
- Update internal browser‑hardening policies to require DBSC‑enabled versions.
- Communicate the change to SaaS vendors and confirm they are aware of the reduced session‑theft risk.
Technical Notes — DBSC works by binding the session cookie to a cryptographic key derived from the device’s hardware identifiers, rendering the cookie unusable on any other machine. The feature is currently limited to Windows; macOS support is slated for a future Chrome release. No CVEs are associated with this rollout. Source: The Hacker News