Updated on Dec. 9, as Google issues new Chrome attack warnings.
Google warns that “defending against account takeovers” is getting harder, as hackers intensify their efforts to steal passwords, multi-factor authentication tokens and cookies. While losing your Google account is a nightmare, it could be much worse than that. It could let those hackers gain access to all your non-Google accounts as well.
If you sync Google Chrome across your devices, you will likely be alarmed to know just how much data Chrome harvests and stores under your account on Google’s cloud. That means private and sensitive data that has nothing to do with Google. All there for the taking, if hackers successfully steal your credentials.
“Get your bookmarks, passwords and more on all your devices,” Google says. “When you sign in to Chrome, you can save info in your Google Account. You can then use your info on all your devices where you’re signed in with the same account.”
That includes “bookmarks, history and open tabs, passwords, payment info, addresses, phone numbers, payment info that you saved to Google Pay, passwords that you saved to your Google Account and addresses that you saved to your Google Account.”
You can enable or disable Chrome Sync from the browser’s settings. You can choose to “sync everything” or “customize” your own list. That means you could disable passwords or payment info from being sync’d across all your devices. Inconvenient, yes, but safer, because that sync works through Google’s cloud, secured by your account sign-in.
There is a separate issue. Google’s password manager is really just Chrome’s password manager, and security experts caution against saving passwords in browsers. This is because a single password opens your accounts and accesses your passwords, and your passwords are at risk from browser attacks, which are not uncommon.
You’re safer and more secure with a standalone password manager.
You must also make sure you have added a passkey to your Google account, and a form of multi-factor authentication that’s not SMS. America’s cyber defense agency hasd just warned Google account holders to “disable other, less secure forms of MFA” and to “review existing passwords to ensure they are long, unique, and random.”
Check and update your Chrome Sync settings now. You can also reset your Sync to delete past data and ensure nothing dangerous is lurking in your cloud account.
And while you’re looking at account-based exposures, bear in mind the latest Chrome update from Google. Per PC World, Google is “expanding the autofill capabilities of its Chrome browser with four new features. If you’re tired of endlessly churning through form after form on websites, and if you regularly rely on autofill to speed up your day-to-day browsing, then you’re going to find these enhancements useful.”
But Google has also just acknowledged the risks to AI browsers from indirect prompt injection attacks deployed by “malicious sites, third-party content in iframes, or from user-generated content like user reviews, and can cause the agent to take unwanted actions such as initiating financial transactions or exfiltrating sensitive data.”
And that’s the key point. Data stored via the browser is at risk.
Google is developing a complex fix. But as The Register puts it, “ Google says Chrome’s new AI creates risks only more AI can fix. ‘User Alignment Critic’ will review agentic actions so bots don’t do things like emptying your bank account. Google plans to add a second Gemini-based model to Chrome to address the security problems created by adding the first Gemini model to Chrome.”
