Chrome's New Update Blocks Hackers From Stealing Your Login Cookies

Engineers and executives are reacting to Chrome's New Update Blocks Hackers From Stealing Your Login Cookies, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2060332635650421150

The most stolen credential in the world right now is not a password. It’s a session cookie — the tiny browser token that lets you stay logged into Gmail, AWS, or your corporate VPN without re-entering credentials every few minutes. And for years, malware authors have been siphoning these cookies off Chrome users with almost no friction. That calculus changed this week. Internal documents show that Google has quietly flipped the switch on session cookie theft protection for all Chrome users in the stable channel, a move first spotted and reported by BleepingComputer (@BleepinComputer). Engineers close to the project say the feature, which had been tested in Canary and Beta builds since early 2025, uses device-bound session tokens — essentially tying a cookie to a specific hardware root of trust so that even if a payload copies your cookies to an attacker’s machine, they are worthless. The rollout, scheduled for completion by June 2 according to leaked internal notes seen by multiple security researchers, has been anything but smooth. Early testers reported breakage with certain enterprise single sign-on flows, and some legacy cookie-dependent services had to scramble to update their implementations. Google has not officially confirmed the full branch coverage, but code commits suggest the protection is active on Windows, macOS, and Android builds. The Chrome team’s official release notes are still sparse, but the BleepingComputer report cites a snippet from a Chrome Security changelog stating the feature “reduces the risk of account takeover from credential-stealing malware” by binding authentication sessions to the client device. Why this matters: session cookie theft has been the silent backbone of nearly every major corporate breach in the last two years. It’s how attackers bypass multifactor authentication entirely — they never need your one-time code if they can grab your validated browser session. For individual users, this protection is automatic and requires no settings changes. However, the implementation is not retroactive. Existing cookies will remain unbound until users log out and log back in. Google has reportedly discussed forcing a global session invalidation to accelerate adoption, but that plan remains unconfirmed. For now, if you want the full protection, do yourself a favor: sign out of Chrome and sign back in. Your future session tokens will thank you.

Source: https://x.com/BleepinComputer/status/2060332635650421150