News: 1722258067

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Google apologizes for breaking password manager for millions of Windows users with iffy Chrome update

(2024/07/29)


Google celebrated Sysadmin Day last week by apologizing for breaking its password manager for millions of Windows users – just as many Windows admins were still hard at work mitigating the impact of the faulty CrowdStrike update.

The [1]Google glitch occurred late last week and took until July 25 for the nearly 18-hour incident to finally be signed off as fixed.

The issue, which was limited to Windows users on the M127 version of the Chrome browser, meant that users were unable to find saved passwords. "Approximately 2 percent of users out of the 25 percent of the entire user base where the configuration change was rolled out, experienced this issue," Google said.

[2]

According to the search giant, "the root cause of the issue is a change in product behavior without proper feature guard." It all sounds suspiciously like a faulty update being pushed out.

[3]

[4]

The issue was global, and the actual number of affected users could run into the millions. According to [5]figures from the International Telecommunication Union (ITU), there were 5.4 billion internet users in 2023. Chrome's market share is 65.68 percent, according to [6]StatCounter . As such, more than 17 million users might have received the broken update and, as Google put it, "experienced the issue."

[7]Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

[8]FYI: Data from deleted GitHub repos may not actually be deleted

[9]Adobe exec likened hidden cloud subscription exit fees to 'heroin', says FTC

[10]Maximum-severity Cisco vulnerability allows attackers to change admin passwords

Google Password Manager works by storing a user's credentials in their Google Account. It will also suggest strong and unique passwords "so you don't have to remember them," according to the ad slinger.

That's assuming, of course, the service doesn't abruptly disappear for almost a day because Google pushed out a broken update.

The incident highlights the risks of using a browser-based password manager, even from a vendor the size of Google, where a broken browser update could leave the password stash inaccessible. Password managers are, however, an increasingly important facet of modern life. Popular ones include LastPass, [11]which suffered a serious breach in 2022 , or [12]Bitwarden .

[13]

Using a password manager is a sensible precaution from a security perspective. However, while letting your browser take care of things might be convenient, it also carries its own risks. ®

Get our [14]Tech Resources



[1] https://www.google.com/appsstatus/dashboard/incidents/bRXnorYZuuVLDDqctj87

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zqe8pDyv6CMLRjyyQ8V1rgAAAIo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqe8pDyv6CMLRjyyQ8V1rgAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zqe8pDyv6CMLRjyyQ8V1rgAAAIo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx

[6] https://gs.statcounter.com/browser-market-share

[7] https://www.theregister.com/2024/07/26/github_stargazers_goblin_malware/

[8] https://www.theregister.com/2024/07/25/data_from_deleted_github_repos/

[9] https://www.theregister.com/2024/07/25/adobe_subscription_cancel_fees_ftc/

[10] https://www.theregister.com/2024/07/18/maximumseverity_cisco_vulnerability_allows_attackers/

[11] https://www.theregister.com/2022/12/23/lastpass_attack_update/

[12] https://www.theregister.com/2023/01/16/dump_lastpass_bitwarden/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zqe8pDyv6CMLRjyyQ8V1rgAAAIo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/



And once again, why trust a code you don't know ?

Pascal Monett

My little password database is secure, if only because nobody knows its format, where it is or what's in it.

It could be a plaintext file in a specific (non Windows-managed) location. It could be an Excel spreadsheet on my NAS. It could be in my StickyNotes.

What it is not is depending on the vagaries of some remote entity I have no control over.

It used to be called a Personal Computer.

Emphasis on the word Personal.

Audit flagging

b0llchit

What secretly happened: The code in question was flagged in a security audit telling them that passwords were stored. Storing passwords is against policy and the code must therefore be removed.

We call this a feature, not a bug ;-)

This is less forgivable than the ClownStrike debacle

alain williams

At lease ClownStrike has the tissue thin excuse that it needs to get patches out quickly to prevent day-0 exploits. I do not think that this Google update was urgent and thus has no excuse to not go through proper QA.

But for both of them: QA costs money that neither wants to pay for, especially when the cost of damage is paid for by someone else.

Death didn't answer. He was looking at Spold in the same way as a dog looks
at a bone, only in this case things were more or less the other way around.
-- Terry Pratchett, "The Colour of Magic"