Saving Passwords: Security & Privacy Implications
A new feature, Google automatic sign-in, has been implemented in a recent Google Chrome release which allows Chrome to log a user into the browser automatically after they have logged into another Google service.
The setting is set to on by default and is triggered by logging into Gmail, YouTube, Google Drive, or any of the other services that are offered by Google.
This can be a convenient feature, however, the security and privacy implications outweigh the convenience of having the user accounts auto logged into.
Saving passwords in Chrome is again a convenient feature, but, if an attacker has access to the system, the user’s password is what secures access to the password file.
This file is stored locally on the system inside the user’s home file path or can be accessed through the settings panel of Google Chrome. Password harvesting is a high priority of any attacker and will look to gain access to more accounts by any means possible. Utilizing this feature creates a one-stop-shop for the attacker.
This feature was implemented in version 69 released on September 4th, 2018. Newer versions of Chrome have made the feature more transparent and easier to opt-out of, but continue to have the feature on by default. Users who have had Chrome since version 69 or older may find that they’ve been logged into the browser without their knowledge even if they are keeping the software updated to the latest versions.
This may also expose corporate information, such as internal machine names or subdomains, to Google’s servers. This essentially requires you place trust in Google to keep your data safe, even if they are not a service provider for your organization.
Update Privacy and Security Settings
Tell Google No! if you are utilizing the latest version of Chrome and no longer want to be automatically be logged into Chrome. There is a way to turn off this feature. Within Chrome, navigate to the settings and find “Privacy and Security.” You may need to click the “Advanced” drop-down at the bottom of the page to find this. The first option there is “Allow Chrome sign-in,” toggle the radio button. Now the automatic login has been turned off.
Threat & Vulnerability Management
VerSprite offers a new level of integrated security solutions that provide improved context around discovered vulnerabilities, 24/7 enterprise security monitoring, and experienced open-source intelligence gathering tradecraft. Learn More →