Google Chrome’s success definitely translates to the company’s massive 62% market share. This also helps the browser to further dominate the web browser market. Its seamless updates are a major factor behind its success, but now the browser is under attack after its latest upgrade dropped a nasty surprise on millions of users around the world.
In a blog post entitled “Why I’m done with Chrome,” titular cryptographer and Johns Hopkins University professor Matthew Green has exposed a subtle change to the Chrome sign-in experience which has the potential to not only put your data at risk but also unwittingly synchronize it with any other users of your browser.
“From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you,” warned Green.
The consequences of this are significant, as anyone who uses your browser now does so with your account. Their browsing history and cookies synchronize with your Google account across all the devices where you use Chrome.
Furthermore, if they log into any Google service it will log you out of the browser and they can import all their bookmarks, settings, etc. When you sign back in, it has the potential to wreak havoc as one wrong click can see your data merged with theirs.
“Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it,” says Green.
His words have found widespread support. Notably, Green cites one ex-Googler who tweets: “it’d only take one misclick to actually start syncing.”
And given how Chrome seamlessly updates, these changes have automatically hit everyone.
What Users Need to Do
So what can you do? Right now there is a hack: in Chrome navigate to “chrome://flags/#account-consistency” then disable the “Identity consistency between browser and cookie jar” setting. Yes, it is not exactly intuitive for the average user.
The good news is Google has promised to make changes. Chrome Product Manager Zach Koch has today published a blog post called “Product updates based on your feedback.” In it, Kock says the next major version of Chrome will allow users to disable the auto sign-in feature in settings, while the user interface will make it clearer when someone is signed in.
The problem is users will have to wait until “mid-October” for these changes to be rolled out, so you should remain vigilant for the next three weeks if you are not comfortable running the hack. In addition, it is important to note auto sign-in will remain enabled by default so you will need to turn it off manually.
Chrome has earned its position at the top of the browser charts on merit. After all, it is a slick, reliable, and secure browser which has remained unflappable for almost a decade while rivals have floundered. But Google needs to remember Chrome is not the Internet, and the Internet is not Google services.