Whenever someone reports a vulnerability that requires local access to a system, a discussion erupts about whether that is really a vulnerability that needs fixing.
One side argues that it is, considering that there are numerous ways that someone could gain local access to a device. The other side argues that it is not, as an attacker can do anything on the machine anyway with local access (at the user's level).
A issue in Chrome was revealed recently by Lior Margalit on Medium that allows anyone with local access to a system running Chrome to steal saved data from the user account.
A prerequisite to that is that the actual user needs to be signed in to a Google account. If that is the case, an attacker can use the method to steal any sync data from the account including passwords, form field data, bookmarks, or the browsing history.
The problematic thing about this is that this requires no authorization whatsoever. Basically, what the attacker needs to do is sign out the actual user, and sign in using a different Chrome account. Chrome displays a prompt then to add the user's bookmarks, history, passwords and other settings to the new account.
Since the data is synced to the new account, it is now possible to access all stored data, e.g. passwords on chrome://settings/?search=password on any device you sign in with that new account. The process itself takes less than a minute to complete
Lior reported the issue to Google and received a "won't fix" response by the company according to the article.
The process in its entirety:
The whole process won't take longer than a minute to complete.
The best protection against the issue is to never leave your device without shutting it down or locking it. Another option that you have is to not sign in using a Google account. This reduces functionality however and some users may not want to do this.
There are other means to steal data from a device if local access is available. Nothing's stopping a user from opening the password listing in Chrome directly for instance
I think that Google should add a fail safe to the process, for instance by asking the user to enter the password of the other account to proceed with the merging of data.
Now You: What's your take on this?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.