Citadel Cyber Security Services

Google Chrome Has A New Trick and It’s Not Very Nice

google security risk

Google Chrome Has A Nasty Surprise

Chrome dominates the web browser market. Chrome’s seamless updates are a major factor behind its success, but now the browser is under attack after its latest upgrade dropped a nasty surprise on millions of users around the world…

Chrome has a new user interface, but there’s a much less welcome addition as well.

In a damning blog post entitled ‘Why I’m done with Chrome’, noted cryptographer and Johns Hopkins University professor Matthew Green has exposed a subtle change to the Chrome sign-in experience which has the potential to not only put your data at risk but also unwittingly synchronise it with any other users of your browser.

“From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you,” warned Green.

The consequences of this are significant, as anyone who uses your browser now does so with your account. Their browsing history and cookies synchronise with your Google account across all the devices where you use Chrome. EEP!

google nasty surprise

Furthermore, if they log into any Google service it will log you out of the browser and they can import all their bookmarks, settings, etc. When you sign back in, it has the potential to wreak havoc as one wrong click can see your data merged with theirs….

“Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it,” says Green.

How many users will notice they have automatically signed into Chrome? We are going to hazard a guess as “Not all that many”.

His words have found widespread support. Notably, Green cites one ex-Googler who tweets: “it’d only take one misclick to actually start syncing.”

And given how Chrome seamlessly updates, these changes have automatically hit everyone.

So what can you do? Right now there’s a hack: in Chrome navigate to ‘chrome://flags/#account-consistency’ then disable the ‘Identity consistency between browser and cookie jar’ setting. Yes, it’s not exactly intuitive for the average user but at least there is a kind of out.

The good news is Google has promised to make changes. Chrome Product Manager Zach Koch has today published a blog post called ‘Product updates based on your feedback’. In it, Kock says the next major version of Chrome will allow users to disable the auto sign-in feature in settings, while the user interface will make it clearer when someone is signed in. We are not sure when exactly this will roll out however, we have heard mid-October so we advise you to take your own steps to ensure your privacy.

In addition, it’s important to note auto sign-in will remain enabled by default so you will need to turn it off manually.

Chrome has earned its position at the top of the browser charts on merit. It’s a slick, reliable, and secure browser which has remained unflappable for almost a decade while rivals have floundered, but with moves like this it is undoubtedly going to damage its reputation with those in the know, careful Google!