Google confirms bug that makes passwords disappear
Getty Images
Updated 7/28 with news of a Google authentication protection that also recently disappeared.
Google has apologized after a bug prevented a significant number of Windows users from recovering or saving their passwords. The issue, which began on July 24 and lasted for nearly 18 hours before being resolved on July 25, was caused by “a change in product behavior without proper feature protection,” an excuse that may sound familiar to anyone caught up in the CrowdStrike disruption this month.
The disappearing passwords issue has impacted Chrome web browser users worldwide, preventing them from retrieving previously saved passwords using Chrome’s password manager. Newly saved passwords have also become invisible to affected users. Google, which has now fixed the issue, said that the problem is limited to Chrome browser version M127 on the Windows platform.
ForbesNew Chrome browser warning confirmed as Google scans for encrypted filesBy Davey Winder
How many Google users were affected by the Chrome Password Vanishing Act?
It’s hard to pinpoint exactly how many users were affected by the disappearance of Google’s password manager. However, assuming there are over 3 billion users of the Chrome web browser, the vast majority of whom are Windows users, it’s possible to estimate the number. Google said that 25% of the user base saw the configuration change rolled out, which by my calculations is around 750 million. Of those, around 2%, according to Google’s estimates, were affected by the password manager issue. That means around 15 million users saw their passwords disappear into thin air.
Chrome Password Manager Issue Now Fully Resolved
Google said that a temporary workaround was provided at the time, which involved the particularly unfriendly process of launching the Chrome browser with a command-line flag of “—enable-features=SkipUndecryptablePasswords.” Fortunately, the full fix that has now been rolled out simply requires users to restart their Chrome browser to take effect. Thanking users for their patience, Google said: “We apologize for the inconvenience caused by this service interruption/outage.” Any Chrome users who have experienced an impact beyond what has been explained should, Google said, contact Google Workspace support.
ForbesGmail users get a free, top-notch security upgrade: Say goodbye to 2FABy Davey Winder
Keeping all your passwords in one browser basket may not be a good idea.
Google Chrome version 127 was released to address a total of 24 security issues, but the password manager issue was not one of them. As I have said many times and will say again, keeping a dedicated password manager app is the smartest move from a strictly security perspective. While a browser-based solution is an element of ease of use, putting all your eggs in one basket when things go wrong, as they did here, even if it is only for a relatively short period of time, is never a good idea.
Passwords aren’t the only Google security measure that’s recently disappeared
Passwords aren’t the only thing Google users have seen disappear recently, according to investigative cybersecurity journalist Brian Krebs: Email verification when creating a new Google Workspace account has also disappeared for some users. The authentication issue, now fixed by Google, allowed bad actors to “bypass the email verification required to create a Google Workspace account,” Krebs said, allowing them to “impersonate a domain registrant to third-party services.” That impersonation meant that person could then log into third-party services, including a Dropbox account, according to the person who initially contacted Krebs.
The issue appears to be related to Google Workspace’s free trials, which provide access to services like Google Docs, for example. Gmail, on the other hand, is only accessible to existing users who can validate their control over the associated domain name. Or at least, that’s what should have happened. Instead, it appears that an attacker could effectively bypass the verification process entirely. Anu Yamunan, director of abuse and security protections at Google Workspace, told Krebs that a few thousand unverified accounts per domain had been created before the patch was applied. A patch, it should be noted, that was applied within 72 hours of the vulnerability being reported. It appears that none of the domains were previously associated with Workspace accounts or services. “The tactic here was to create a specially crafted request by a malicious actor to bypass email verification during the sign-up process,” Yamunan said.
I have contacted Google for additional comment.
.jpg)
.webp)
0 Comments