Google fixed a vulnerability in Chrome that made stolen cookies ineffective

Google added cookie‑session theft protection in Chrome 146

*The new technology – Device Bound Session Credentials (DBSC) – cryptographically ties users’ active sessions to the hardware of their devices.*

What changed
Platform | How the protection works
---|---
Windows | Uses the Trusted Platform Module (TPM). The chip generates unique keys that cannot be exported. New cookie‑sessions are issued only after Chrome confirms ownership of the private key.
macOS | Protection will be added in a future browser update via Secure Enclave – an equivalent to TPM.

How it works
1. When creating a new session, Chrome generates a public/private key pair tied to the security chip.
2. The server receives only the public key and uses it to encrypt the cookie‑session.
3. To access the data, the client must prove ownership of the private key – possible only on the same device.
4. If an attacker steals the cookie but lacks access to the chip, the session immediately becomes invalid.

Why this matters
* Session cookies are authentication tokens that allow users to log in without re‑entering a password.
* Malware (infostealers) such as LummaC2 reads these files and browser memory to steal data.
* Software protection methods are not always effective – if an attacker gains access to the machine, they can obtain any cookie.

DBSC minimizes data exchange: only the public key is sent to the server, while the device identifier remains hidden. Each session is protected by a unique key, preventing tracking of user activity across different sessions.

Testing and support
* Google tested an early version of DBSC with several web platforms (including Okta).
* A noticeable reduction in session theft was observed.
* The protocol was developed in collaboration with Microsoft as an open web standard and approved by web‑security experts.

How sites can take advantage
1. Add registration and session cookie update points that use DBSC to your backend.
2. This will not affect existing frontends – compatibility is preserved.

Specifications are available on the W3C site, and a detailed implementation guide can be found in Google’s documentation and GitHub repositories.

Bottom line: Chrome 146’s new feature provides more reliable protection against cookie‑session theft by binding them to users’ hardware. This renders stolen tokens useless almost instantly and enhances overall web application security.