Vulnerabilities / Threats

9/24/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

In Quiet Change, Google Now Automatically Logging Users Into Chrome

The change is a complete departure from Google's previous practice of keeping sign-in for Chrome separate from sign-ins to any Google service.

In a change with potentially worrisome privacy implications, Google has begun to automatically log users in to Chrome whenever they use the browser to sign into Gmail or any other Google service.

The change, introduced quietly with the new Chrome 69 release earlier this month, is a complete departure from Google's previous practice of keeping sign-in for Chrome separate from sign-ins to its other services. Previously, Gmail users concerned about Google collecting their browsing data could use Chrome without necessarily being signed into the browser.

But starting with Chrome 69, the only way users can do that is to not be logged into any Google service at all. Signing into a Google account will automatically sign them into Chrome. Signing out of Chrome will automatically sign users out of their other Google accounts.

In a blog Sunday, Matthew Green, a security researcher at Johns Hopkins University, blasted the change as having enormous implications on user privacy and trust. "The change makes a hash out of Google’s own privacy policies for Chrome," Green noted.

The privacy policies – up until this week, at least – made it very clear that when people are using Chrome in "basic browser mode," their data is stored locally, and when they are signed into Chrome, their browsing data is shipped to Google. The implication up to now has been clear, Green said. "If you want privacy, don't sign in," he says. "But what happens if your browser decides to switch you from one mode to the other, all on its own?"

Until Green's post on Sunday, few knew about Google's update. The only indication of the change is that users' Google profile pictures or icons now appear in the righthand corner of the browser window when they are logged into a Google account.

In a Twitter thread responding to Green's blog post late Sunday night, Google software engineer Adrienne Felt insisted that though Google is now automatically signing people in to Chrome, it does not mean the company is automatically uploading their browsing data as well.

In order for that to happen, users have to take the additional step of turning on a "Chrome Sync" feature after they are signed in, she said. By syncing, users can access their Chrome browsing histories across all devices. But Sync does not happen automatically when people get signed into Chrome, according to Felt.

She added that Google is updating its privacy notices "ASAP" to better clarify the implications of its automatic sign-in update for Chrome.

The new feature that automatically signs people into Chrome is called "identity consistency between browser and cookie jar." The only reason Google has added the feature is to prevent confusion among people sharing devices, Felt said in tweets that echoed comments made by two Chrome developers to Green. "In the past, people would sometimes sign out of the content area and think that meant they were no longer signed in to Chrome, which could cause problems on a shared device," Felt said.

For example, an individual using a computer where another user might have previously signed into Chrome could end up having cookies from his browsing sessions uploaded to the originally signed-in user's account, Green said. However, this becomes a potential issue only for users who sign in to Chrome in the first place, he noted.

The problem that the update is supposed to address does not impact users who choose not to log in to Chrome at all. If the problem has to do with signed-in users, it makes little sense for Google to make a change that forces unsigned users to become signed-in users, Green said.

Troublingly, Google's new menu for users signing into Chrome is also so vague that people could easily end up granting consent to sync their browsing data when they, in fact, did not intend to do so, Green said. Where previously users had to put in the effort of entering their credentials to sign in to Chrome, they can now end up consenting to data upload "with a single accidental click."

Google also has not made clear what data exactly it will upload when a previously logged-out user logs in to Chrome and turns on the Sync feature. It's not clear whether in this case Google will upload all of the data that was previously stored locally on the user's device, Green noted.

Dark Reading has observed an equally confusing message when a user signs out of Gmail these days. The message notes that the user is signed out and that syncing is paused, and then adds:  "Your bookmarks, history, passwords, and more are no longer being synced to your account but will remain on this device. Sign in to start syncing again."

In her tweets, Felt noted that Chrome data is not being uploaded without a user specifically consenting to syncing it. So it is not clear what other "bookmarks" or "history" it is that Google is referring to when it talks about "syncing." Google did not respond to Dark Reading's request for clarification. In response to a request for comment on Green's concerns, Google pointed to Felt's Twitter stream.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
9/25/2018 | 4:51:18 PM
Chrome as a web browser
Notice this as soon as Chrome was keeping my login on the browser.  This is why I am glad Chrome is not my primary browser.  Quite frankly, any of minimalist design web browser is annoying to me.  I will keep my feature rich browsers.  Thank you very much.

 
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.