A flaw in the Google Chrome web browser has been discovered that allows almost anyone to steal your saved passwords, form fields, bookmarks and browsing history. It was discovered by Lior Margalit during December 2017 and he reported it to Google but the company apparently gave a nonchalant answer.
What is concerning is how easy it is and how quickly one can exploit this flaw once they have access to your computer.
"I have reported this to Google before I brought it to you, their response was disappointing and amounted to Yes, given unrestricted access to a user’s account, you can steal data from it … Status:WontFix," writes Margalit.
Granted that the flaw requires you to have access to someone elses computer, the procedure that follows doesn't require any special skills and you could've likely already done it knowingly, or by accident.
All it takes is to use your friend or colleague's computer, sign them out of the Google Chrome browser through the
Edit person setting. Once you've signed them out, you then need to log yourself back into Chrome using your login details.
Here is where the flaw comes in.
Chrome will then pick up that there was another user logged in previously and it will ask you to select between two options:
This wasn't me or
This was me. Once you select the
This was me option, Chrome will then proceed to add the previously logged in users bookmarks, saved passwords, form fields and other settings to your Chrome profile.
At this stage, you can even log out of your friend or colleague's computer and use Chrome from your own computer and all the settings you sync'd will now be permanently under your Chrome profile. To confirm this, all you have to do is go to chrome://settings/?search=password after signing into Chrome. Click on
Manage passwords and they are all there.
Hopefully, Google gets their act together and issues an update that disables this feature especially considering the number of users in Afrika who use shared computers whether it be at school, tertiary institutions, work or even Internet cafes.