Updated July 28 with news about Google Authentication protection also recently disappearing.
Google has apologized after a bug prevented a large number of Windows users from finding or saving their passwords. The issue, which Google says began on July 24 and lasted for about 18 hours before being fixed on July 25, was due to “a change in product behavior without adequate feature protection,” an excuse that will sound familiar to anyone involved in this. Disable CrowdStrike This month.
the Password disappearing problem The issue affected Chrome users across the globe, making them unable to find any passwords already saved using the Chrome password manager. Newly saved passwords were also made invisible to affected users. Google, which has now fixed the issue, said the issue was limited to the M127 version of Chrome on Windows.
How many Google users are affected by Chrome’s disappearing password law?
It’s hard to pinpoint the exact number of users who will be affected by the disappearance of Google’s password manager. However, working from the fact that there are over 3 billion Chrome web browser users, with Windows users making up the vast majority of those, it’s possible to come up with an estimate. Google said that 25% of its user base saw the configuration change roll out, which, by my calculations, is around 750 million. Of those, around 2%, Google estimates, were affected by the password manager issue. That means around 15 million users saw their passwords disappear into thin air.
The issue of disabling the password manager in Chrome is now completely fixed.
Google said a temporary fix was offered at the time, which involved a particularly user-unfriendly process of launching Chrome with the command line flag “—enable-features=SkipUndecryptablePasswords.” Fortunately, the full fix that has now been rolled out requires users to restart their Chrome browser for it to take effect. Thanking users for their patience, Google said, “We apologize for the inconvenience this outage may have caused.” Google said that any Chrome users who experienced impact beyond what has been described should, Contact Google Workspace Support.
Keeping all your passwords in one browser bin probably isn’t a good idea.
Google Chrome Version 127 It was released to fix a total of 24 security issues, but the password manager wasn’t one of them. As I’ve said many times and will say again, having a dedicated password manager app makes the most sense from a strict security perspective. While a browser-based solution does serve the convenience factor, putting all your eggs in one basket when things go wrong, as they did here, albeit for a relatively short period of time, is never a good idea.
Passwords aren’t the only security measure that’s recently disappeared from Google.
According to renowned investigative cybersecurity reporter Brian Krebs, passwords aren’t the only thing Google users have seen disappear recently: Email verification is also required when creating a new Google Workspace account. The authentication issue, which has now been fixed by Google, allowed malicious actors to “bypass the email verification required to create a Google Workspace account,” Krebs said, allowing them to “impersonate the domain owner on third-party services.” This impersonation meant that such an individual was then able to log into third-party services, including a Dropbox account, according to the person who initially contacted Krebs.
The issue appears to have been linked to the free trial versions offered by Google Workspace, which allow access to services like Google Docs, for example. However, Gmail is only accessible to existing users who can verify their control over the associated domain name. Or at least, that’s what should have happened. Instead, it appears the attacker could have bypassed the verification process entirely. Anu Yamunan, Google Workspace’s director of abuse and safety protection, told Krebs that a few thousand of these unverified accounts were created for the domain before the fix was applied. It should be noted that the fix was made within 72 hours of the vulnerability being reported. It’s understood that none of the domains were previously associated with Workspace accounts or services. “The tactic here was to create a specially crafted request by the bad actor to circumvent email verification during the signup process,” Yamunan said.
I have reached out to Google for further comment.