Vulnerabilities / Threats

9/24/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

In Quiet Change, Google Now Automatically Logging Users Into Chrome

The change is a complete departure from Google's previous practice of keeping sign-in for Chrome separate from sign-ins to any Google service.

In a change with potentially worrisome privacy implications, Google has begun to automatically log users in to Chrome whenever they use the browser to sign into Gmail or any other Google service.

The change, introduced quietly with the new Chrome 69 release earlier this month, is a complete departure from Google's previous practice of keeping sign-in for Chrome separate from sign-ins to its other services. Previously, Gmail users concerned about Google collecting their browsing data could use Chrome without necessarily being signed into the browser.

But starting with Chrome 69, the only way users can do that is to not be logged into any Google service at all. Signing into a Google account will automatically sign them into Chrome. Signing out of Chrome will automatically sign users out of their other Google accounts.

In a blog Sunday, Matthew Green, a security researcher at Johns Hopkins University, blasted the change as having enormous implications on user privacy and trust. "The change makes a hash out of Google’s own privacy policies for Chrome," Green noted.

The privacy policies – up until this week, at least – made it very clear that when people are using Chrome in "basic browser mode," their data is stored locally, and when they are signed into Chrome, their browsing data is shipped to Google. The implication up to now has been clear, Green said. "If you want privacy, don't sign in," he says. "But what happens if your browser decides to switch you from one mode to the other, all on its own?"

Until Green's post on Sunday, few knew about Google's update. The only indication of the change is that users' Google profile pictures or icons now appear in the righthand corner of the browser window when they are logged into a Google account.

In a Twitter thread responding to Green's blog post late Sunday night, Google software engineer Adrienne Felt insisted that though Google is now automatically signing people in to Chrome, it does not mean the company is automatically uploading their browsing data as well.

In order for that to happen, users have to take the additional step of turning on a "Chrome Sync" feature after they are signed in, she said. By syncing, users can access their Chrome browsing histories across all devices. But Sync does not happen automatically when people get signed into Chrome, according to Felt.

She added that Google is updating its privacy notices "ASAP" to better clarify the implications of its automatic sign-in update for Chrome.

The new feature that automatically signs people into Chrome is called "identity consistency between browser and cookie jar." The only reason Google has added the feature is to prevent confusion among people sharing devices, Felt said in tweets that echoed comments made by two Chrome developers to Green. "In the past, people would sometimes sign out of the content area and think that meant they were no longer signed in to Chrome, which could cause problems on a shared device," Felt said.

For example, an individual using a computer where another user might have previously signed into Chrome could end up having cookies from his browsing sessions uploaded to the originally signed-in user's account, Green said. However, this becomes a potential issue only for users who sign in to Chrome in the first place, he noted.

The problem that the update is supposed to address does not impact users who choose not to log in to Chrome at all. If the problem has to do with signed-in users, it makes little sense for Google to make a change that forces unsigned users to become signed-in users, Green said.

Troublingly, Google's new menu for users signing into Chrome is also so vague that people could easily end up granting consent to sync their browsing data when they, in fact, did not intend to do so, Green said. Where previously users had to put in the effort of entering their credentials to sign in to Chrome, they can now end up consenting to data upload "with a single accidental click."

Google also has not made clear what data exactly it will upload when a previously logged-out user logs in to Chrome and turns on the Sync feature. It's not clear whether in this case Google will upload all of the data that was previously stored locally on the user's device, Green noted.

Dark Reading has observed an equally confusing message when a user signs out of Gmail these days. The message notes that the user is signed out and that syncing is paused, and then adds:  "Your bookmarks, history, passwords, and more are no longer being synced to your account but will remain on this device. Sign in to start syncing again."

In her tweets, Felt noted that Chrome data is not being uploaded without a user specifically consenting to syncing it. So it is not clear what other "bookmarks" or "history" it is that Google is referring to when it talks about "syncing." Google did not respond to Dark Reading's request for clarification. In response to a request for comment on Green's concerns, Google pointed to Felt's Twitter stream.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
9/25/2018 | 4:51:18 PM
Chrome as a web browser
Notice this as soon as Chrome was keeping my login on the browser.  This is why I am glad Chrome is not my primary browser.  Quite frankly, any of minimalist design web browser is annoying to me.  I will keep my feature rich browsers.  Thank you very much.

 
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.