This is a far cry from my normal travel posts, but it is something that all digital nomads should be aware of. If you use Chrome without logging in to it, you can have all your passwords and autofill details stolen.
I’m only writing this post because after contacting Google, they flagged the exploit as “Won’t Fix” despite how easy it is. For a company obsessed with the cloud and having you use them for everything, this is seriously troubling.
How Is This Even Possible?
When using Chrome without logging in to it, everything by default is saved within the browser itself. As soon as someone — anyone — logs into Chrome, all the email accounts, passwords, autofill details, browsing history and yes even bookmarks are transferred to that Google account. In seconds this person can steal your data — even acidentally, as I did.
How Bad Is It?
I am now technically able to log in to strangers’ (most of whom are now Facebook friends, but you get what I mean) Google, Facebook and yes even PayPal accounts, then delete the “new login from unknown device/location” email before they even see it. Anything without a two-step verification. Of course since I’m an honest guy, I’m attempting to spread awareness and maybe even elict a more appropriate response from Google than “Won’t Fix” (that is literally what they flagged my report as)
The issue has been replicated on both MacBook and Windows using the newest version of Chrome. And because everything with Google is synced everywhere, I can immediately begin using my phone to log in with these “stolen” passwords. But just to be clear I never actually logged into any of these newfound friends’ accounts. It just prompts me to. And each one comes with a nice filled in password field already.
How Did You Discover This?
By accident. For the last two weeks my laptop has been in the repair shop and I’ve been using several laptops from strangers I’ve met at hotels. People I don’t know before I’d arrived in town and might never see again in real life. As a traveler we all know that shit happens. So when a fellow traveler explains how his laptop broke and asks if they can borrow yours for a few minutes, we tend to say yes. Of course first we always log out of web sites, but with Chrome that isn’t enough if you are not logged in or not incognito.
To confirm this, I went to the business center of my hotel in Bangkok and logged into Chrome. Just like that I snagged passwords and login details for half a dozen different Gmail and Facebook accounts. All the people who had been using the computer before me I assume. They thought logging out was enough, but in Chrome it isn’t.
As of February 2016 Chrome has a whopping 69% market share, and this number is rising every month. It is used by companies, internet cafes and hotel business centers around the world. Chances are you are viewing this article using Chrome. Are you logged in to it?
How Do I Prevent This?
Just login to Chrome, simple as that. And be sure to log out of Chrome before letting anyone else use your laptop for even a second.
Why Won’t Google Fix This?
From the official response to my bug report:
This is called a ‘physically local attack’ and is not covered by Chrome’s threat model see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-
To be fair, Google makes a good point. If someone has physical access to your computer, they can do whatever they want. But I provided them with a simple solution: don’t immediately sync secure data gathered while Chrome is not logged in to the account of the next person to log in to Chrome. Easy enough, but apparently too hard for Google to do.