Key Findings

• Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to prevent hackers from using stolen session cookies to access user accounts

• The system binds login sessions to a device's hardware security chip, making exfiltrated cookies unusable on other machines

• Early testing shows a measurable drop in successful infostealer attacks through Origin Trials with partners like Okta

• Over 30 million computers were infected with infostealer malware last year, with attackers stealing credentials from high-profile targets including the Pentagon, FBI, and major defense contractors

• The feature will expand to macOS soon and was developed with privacy protections to prevent cross-site device tracking

Background

Infostealer malware like LummaC2 and Vidar has become a major threat vector for account compromise. Rather than relying on complex hacking techniques, these malware variants exploit simple human error when users inadvertently download malicious files. Once installed, the malware can easily access session cookies stored in browser files and memory, giving attackers immediate access to user accounts without needing passwords. Last year's security incidents targeting the Pentagon, FBI, and defense contractors like Lockheed Martin and Honeywell demonstrated the real-world impact, with attackers selling stolen access credentials for as little as $10.

How the New Security Works

DBSC fundamentally changes the defense strategy by binding each login session directly to the user's device hardware. Chrome generates a unique public and private key pair that remains permanently on the computer and cannot be transferred. When accessing a website, the browser must prove possession of the private key before the server issues new cookies. The cookies themselves are also intentionally short-lived, expiring quickly even if stolen. Since attackers cannot extract the private key from the hardware security chip, any cookies they manage to grab become useless almost immediately.

Privacy and Implementation

Google coordinated with Microsoft to ensure the technology includes privacy safeguards. Each website receives a different cryptographic key, preventing companies from using DBSC to fingerprint devices or track users across sites. Windows users have access to the feature now through Chrome 146, with macOS support coming soon. This rollout addresses the critical gap where attackers previously bypassed two-factor authentication using stolen session data, a vulnerability that enabled some of the most damaging breaches against government and defense sector targets.

Sources

• https://hackread.com/google-chrome-update-infostealer-cookie-theft/

• https://x.com/Dinosn/status/2042969878462705865

• https://x.com/HackRead/status/2042941255991116108

• https://news.backbox.org/2026/04/11/google-chrome-update-disrupts-infostealer-cookie-theft/

• https://www.reddit.com/r/InfoSecNews/comments/1sihhmu/google_chrome_update_disrupts_infostealer_cookie/