• Forum
  • Lounge
  • Chromium and Google Chrome security ques

 
Chromium and Google Chrome security question

Pages: 123
I recently installed a new operating system version on my pc. A clean install rather than an 'upgrade'. Now I like to use the Chromium / Google Chrome browsers mainly as the bookmarks are auto sync'd for every pc or even phone that uses chrome.

I was really surprised to find that when i used the browser for the first time in my new debian system - not only are the bookmarks retrieved from some online server - but ALL my secret login details even for SSL enabled websites automatically appear as well!

Who has control or access to the servers that store this data?

If malicious crackers somehow break into these online servers it would be an epic disaster. I was just wondering if I should stop using this browser for this reason! I'm sure that there is a mathematical proof that shows 'convenience = greater risk' (in computer security at least) Do you worry about this?
You're not the only who worries about stuff being in "the cloud". But it's pretty sophisticated technology. I wouldn't worry about hackers getting into your stuff :)
I am probably a bit paranoid as i started reading a book today called "Dark Market" by Misha Glenny.
It is quite frightening but good a read.

Your right though I should just carry on using chromium and not worry too much otherwise the next step might be for me to just pull the plug and go offline completely :)
Who has control or access to the servers that store this data?

The same corporation that knows everything you searched for in the last two years. Google.

http://en.wikipedia.org/wiki/Criticism_of_Google#Privacy_and_data_protection_cases_and_issues_by_state

If malicious crackers somehow break into these online servers it would be an epic disaster. I was just wondering if I should stop using this browser for this reason!

Absolutely, in my opinion. I'm being a bit of a hypocrite, though. I still prefer the Google search engine to others, such as DuckDuckGo. And I do not disable the blacklist system in Firefox (which to my knowledge functions by asking Google and others if a site is safe, or if it was reported for forgery etc.)
closed account (3qX21hU5)
As RB said I wouldn't worry to much. Though you ahould take some steps just incase. Like never autosave you login information for anything critical like bank accounts, don't choose the save credit card number for later purchases on shopping websites, and stuff like that. They most likely won't get hacked but your computer can get hacked.

If you are really concerned you can look into stuff like identity guard or other reputable services like it. They cost about 10 dollars a month but are worth it in my opinion. I use it to protect my identity and monitor my credit score, ect.
Say you have a FB password synced on Chrome "Cloud".
Your only way to access this password is by having your Google Account password.

So it all depends from your e-mail password.
You lose it, you may lose everything.
Neil wrote:
but ALL my secret login details even for SSL enabled websites automatically appear as well!
I can't replicate this, are you sure?
I just checked one example bookmark site uses https. Months ago I told chromium to save the password. I did not expect that passwords and usernames were stored in the cloud. I thought it was only the bookmarks data.
It seems that a bunch of other data goes out there as well.
I didn't even have to type in my routers admin password. Anyone who has that can walk right in and not worry about cracking my 63 character WPA PSK key.! What's more a remote user could do that even though I have remote management disabled. Those who have access to this cloud can do that if they wanted.

Someone somewhere can access this cloud data . What con erns me now is that its a fact that the criminals are always exploiting tech way before regular people like me get to know about it.
When it comes to privacy there are no good guys and bad guys just plain snoops.
But yes I'm sure about this. Did you tell your browser to remember the password?
If you do it definitely goes out there. If I did not do a clean install of wheezy, I would have thought the passwords and usernames were stored on my hard disk. But they were not.
I'm doing what zero said. Remove saved password for sensitive websites and hopefully it will ne removed from the cloud on the next sync.

What catfish4 points out was shocking as well. I had no idea Google kept search records for 2 years.

Last edited on
Neil wrote:
I told chromium to save the password. I did not expect that passwords and usernames were stored in the cloud.
There's your problem.
Change the setting: http://i.imgur.com/JoMHb9T.png
Delete the data: http://i.imgur.com/EGUoRCr.png
If you're going to be paranoid about Google monitoring where you go and sending it out, you can just opt out here:
https://tools.google.com/dlpage/gaoptout?hl=en

http://www.networkadvertising.org/choices/
http://www.aboutads.info/choices/

are also very useful, for opting out of other advertisement data collection methods.
Last edited on
Thanks for the links LB - I now know how to switch it off and that has made me feel a whole lot better.
Thank you all for your replies and advice.
@ Neil: if you haven't already, I suggest you change all passwords that were in the cloud. You can't know if your data has really been deleted, or just moved away to a restricted area.
closed account (1yR4jE8b)
Holy crap, so much ignorance in this thread. Your Chrome data is encrypted with your google accountpassword, which is more than likely hashed and salted for your Google account; Google cannot decrypt your password, and therefore cannot descrypt your sync'd data.

Furthermore, you can double-encrypt it with a separate passphrase, that google will never see, making it nearly impossible to decrypt.

https://support.google.com/chrome/answer/1181035?hl=en
Some people are paranoid that google has their password and secret encryption key in plain text form and is only pretending to store your data encrypted. In fact they're so paranoid that they think that using a network sniffer to see for themselves would involve having the sniffer send the data to the guy that made it, so they can't even find out for themselves.

Personally though I trust that Google really doesn't have access to my data without my password.
Last edited on
Don't worry buddy , all that dat is encrypted so if you just lost your passphrase or password it is humanly impossible for any one to break in and look at it.Though technically if all the google's cpu power was used to brute force chances are it may be cracked using brute force within some reasonable (maybe not) time.
If Google made the encryption system, they also made the decryption system.
For them to decrypt a password, it only takes:
 
std::string UserPassword = Google::Security::Password::Decode(Google::Cloud::Users::GetChromeUsers()["SGH"].Password);

Just supposing all those namespaces/classes exist and work.
Google is a data hog. How can anyone believe they would store your data in a way such that it's inaccessible to them?

I will go further and say they don't even delete it, ever. Because who deletes "backups", no?

Still, I have an open mind! So please give me an official, technical whitepaper detailing exactly how Google manages its data (and not some legalese commitment to privacy crap) that proves me wrong, and I'll read it.
closed account (1yR4jE8b)
https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html

For the lazy:
https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#signin

Though, judging from your tone, you're just doing to dismiss it anyway.
Last edited on
@EssGeEich: Assuming they store the raw password and not the hash.
First of all even if they hacked into the actual Servers they would need to decrypt the actual custom hash which is almost impossible to do then there would be covering your tracks via deleteing IP logs from Servers using a come type of Shell such as C99 the other thing is first breaking into the server which would probably be almost impossible even if they managed to find an exploit it needs to be:

[=] SQLi
[=] XSS
[=] RFI \ LFI

and not other exploits of course there can be Remote Code Execution but they are rarely found.

Also there would be high security protection for example a AV , A Real Person watching for any changes in the database and such. then there is automated systems which would inform FBI, CIA about any suspected breach.

So it would be 99.99999999999999999999999999999% percent that any hack would be successful during our lifetime. Even if they hacked into it now it would take couple centuries to decry-pt the hashes so till then they too will die.

Not only that but if hack is successful the servers would become offline as soon as possible. To prevent more data transfer.
Last edited on
Pages: 123