Chrome 146 introduces device bound session credentials to combat info-stealing malware

As noted by Bleeping Computer, Google has implemented a new security feature called Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. This protection is specifically designed to thwart info-stealing malware from harvesting sensitive session cookies, a common method for unauthorized account access.DBSC works by cryptographically linking a user’s session to their hardware, utilizing the Trusted Platform Module (TPM) on Windows. This process generates unique public/private keys within the secure hardware, preventing them from being exported. When a user logs in, Chrome must prove possession of the private key to the server to issue a new, short-lived session cookie.If malware steals a cookie without the corresponding private key, it becomes useless, effectively stopping session hijacking. This addresses a significant weakness where infostealer malware could previously exfiltrate cookies stored in browser files or memory, a problem difficult to solve with software alone.Source:Bleeping Computer