If You Use Chrome, I Can Steal Your Passwords

This is a far cry from my normal travel posts, but it is something that all digital nomads should be aware of. If you use Chrome without logging in to it, you can have all your passwords and autofill details stolen.

I’m only writing this post because after contacting Google, they flagged the exploit as “Won’t Fix” despite how easy it is. For a company obsessed with the cloud and having you use them for everything, this is seriously troubling.

How Is This Even Possible?

When using Chrome without logging in to it, everything by default is saved within the browser itself. As soon as someone — anyone — logs into Chrome, all the email accounts, passwords, autofill details, browsing history and yes even bookmarks are transferred to that Google account. In seconds this person can steal your data — even acidentally, as I did.

How Bad Is It?

I am now technically able to log in to strangers’ (most of whom are now Facebook friends, but you get what I mean) Google, Facebook and yes even PayPal accounts, then delete the “new login from unknown device/location” email before they even see it. Anything without a two-step verification. Of course since I’m an honest guy, I’m attempting to spread awareness and maybe even elict a more appropriate response from Google than “Won’t Fix” (that is literally what they flagged my report as)

The issue has been replicated on both MacBook and Windows using the newest version of Chrome. And because everything with Google is synced everywhere, I can immediately begin using my phone to log in with these “stolen” passwords. But just to be clear I never actually logged into any of these newfound friends’ accounts. It just prompts me to. And each one comes with a nice filled in password field already.

How Did You Discover This?

By accident. For the last two weeks my laptop has been in the repair shop and I’ve been using several laptops from strangers I’ve met at hotels. People I don’t know before I’d arrived in town and might never see again in real life. As a traveler we all know that shit happens. So when a fellow traveler explains how his laptop broke and asks if they can borrow yours for a few minutes, we tend to say yes. Of course first we always log out of web sites, but with Chrome that isn’t enough if you are not logged in or not incognito.

To confirm this, I went to the business center of my hotel in Bangkok and logged into Chrome. Just like that I snagged passwords and login details for half a dozen different Gmail and Facebook accounts. All the people who had been using the computer before me I assume. They thought logging out was enough, but in Chrome it isn’t.

As of February 2016 Chrome has a whopping 69% market share, and this number is rising every month. It is used by companies, internet cafes and hotel business centers around the world. Chances are you are viewing this article using Chrome. Are you logged in to it?

How Do I Prevent This?

Just login to Chrome, simple as that. And be sure to log out of Chrome before letting anyone else use your laptop for even a second.

Why Won’t Google Fix This?

From the official response to my bug report:

This is called a ‘physically local attack’ and is not covered by Chrome’s threat model see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

To be fair, Google makes a good point. If someone has physical access to your computer, they can do whatever they want. But I provided them with a simple solution: don’t immediately sync secure data gathered while Chrome is not logged in to the account of the next person to log in to Chrome. Easy enough, but apparently too hard for Google to do.

Do you use Chrome? Do you login to it?

Share your thoughts below.

Enjoy it? Tell a friend
About Derek Freal

"Some people eat, others try therapy. I travel."   Cultural enthusiast. Adrenaline junkie. Eater of strange foods. Chasing unique and offbeat adventures around the world since 2008. Derek loves going to new destinations where he does not speak a word of the local language and must communicate with hand gestures, or places where he is forced to squat awkwardly to poo -- supposedly its healthier and more efficient. For more information (about Derek, not squat pooing) including popular posts and videos, check out his bio.

10 thoughts on “If You Use Chrome, I Can Steal Your Passwords”

  1. Hey Derek,

    Great Info. I was not aware of this despite being employed in IT. Other than do not touch chrome on a strangers computer or log on to chrome in a total strangers computer the other methods to avoid this is to use incognito mode or clear cache, cookies and history of the browser once you finish using it.

    • Very true, there are other options to avoid this from happening. But far too many people not from IT backgrounds believe that just logging out of a web site is enough. And after mentioning this to several other digital nomad buddies (all of whom were equally appalled at the ease with which I was able to do this) I figured it best to let others know.

  2. One more thing. I think this only happens ( I am yet to reproduce this) to the saved passwords, not if you just logged in and out of a site. Is it like that.

    • Yes, it’s only to saved passwords. Because I was borrowing personal laptops, everything was saved. Now I don’t know what idiots saved their passwords to the public computer at the hotel I was staying at, but keep in mind this is the same hotel where my laptop had vodka and Red Bull spilled on it by two guests a few days before (which is the reason I had to start borrowing these laptops i the first place) so yeah, clearly not the best environment.

  3. You got it right my friend. That is the reason why I use Mozilla Firefox or Safari in public places. I have Chrome in my own PC only for myself and tell everyone to use other browsers when they borrow mine. I had a bad experience of using it once in an internet cafe that I ended up uninstalling and reinstalling Chrome then resetting their browser settings to make sure I get rid of the files I accidentally transferred from my own account. 🙂

    • Good advice. Google just makes it so damn convenient with saved bookmarks and stuff…and since I am trying to work from a beach in Thailand, I was looking for the easiest, least time-consuming way.

    • I used to be right there with you Bob. I have always been a loyal Firefox supporter and enthusiastic user since the early days — hell I still have a small collection of bookmarks there not synced with G. But I only use Firefox for a few certain things/sites now. The final straw was when they never add compatibility for img style=”max-width:100%” even long after every other browser had.

  4. Thanks for sharing your experience and advice Derek. I was aware of the log in and log out requirements of Google and find they are pushing us more and more to store our information with them. Only last weekend I was helping my mum with her Android mobile phone. An app was out of date and a newer version needed downloading from the Play Store. To do this though the phone was prompting her to log in with her Google profile or e-mail address. My mum doesn’t have an e-mail address and didn’t want to set one up. So we agreed the app was not that important and we’d rather go without.

    It seems almost anything to be done these days has to be via surrendering our e-mail address. I just spent some time earlier this week unsubscribing from some business related newsletter e-mails that I hadn’t subscribed to. They said at the bottom of their e-mails I was getting the e-mail because I worked in or was interested in such and such an industry. Absolutely nothing about whether I’d actually chosen to receive their e-mails!

    I must admit that over the years I’ve used Chrome, Firefox, Safari and others. Hated IE for years. I think I’ve experienced issues somehow with virtually everyone I’ve tried, hence reason for constant changing.

    • Remember Netscape Navigator? I’ve been running away from IE since the old days my friend hahaha 😉

      And I agree, it’s not always best to trust to much in the cloud or the newest apps. You’d be surprised what’s in the fine print for some of those.

      It was only after my brand new laptop went in for repair that I attempted to switch to Chrome. (I cannot stress this new factor enough because my two other laptops were in Delhi as I was traveling light for the pirate ship.) Anyway already had my most important spreadsheets bookmarks saved to FF and Ch so then it was just a matter of downloading my most important files and spreadsheets from the cloud to Drive then trying to remember a myriad of passwords. Because I work with laptops I have long had my important shit (including Lightroom catalog and Premiere files) synced so I can work regardless of device. Next thing you know I start logging in to Chrome across many different computers and begin amassing login details and bookmarks. Crazy shit. After finally remembering all my passwords and saving them to my Chrome I had to do a full erase and start over now that I’ve got my 4k vid laptop back. Now it’s time to get back to work for real! 😀


Leave a Comment