Google Chrome is a Security Nightmare

On December 11, 2008

You may have heard about Google’s new browser called Chrome. I thought about installing it so I can evaluate it. But then I thought about all the privacy violations that Google has been criticized by security experts over the years and decided to do a little research first. I have to admit, I am pretty hesitant when it comes to installing anything made by Google, whether it’s their toolbar, Web browser or anything else. I stumbled upon this article on TG Daily: Chrome is a security nightmare, indexes your bank accounts. In Google’s defense, I should point out that at the time the article was written, Chrome was still in beta. However, the article raises some interesting points and it’s the fact that Google is once again in the middle of a privacy controversy that caught my attention. Here are a few quotes from the article.

After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data – even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

To see all of this in action, just open up Chrome and log in to your favorite financial website. Like most important sites, it should be protected with HTTPS/SSL encryption and that should be evident in the address bar of the browser. Do the stuff you would normally do like look at your balances and gawk at your latest transactions and then open up a new tab in Chrome by clicking the “+” symbol. In the right-hand history search box, enter a few keywords and see what they get you. Surprised? I bet you are. No luck? Then try something simple like oh Visa, Mastercard, balance and account. Also try out the names and abbreviations of months like September, Sept and Sep.

And on Guardian‘s Web site I read the following:

The history search feature means you can find all your financial, medical and other secrets from the browser without going anywhere near the secure site. Or someone else can. If you have a PC where someone else can access it — for example, in almost any office — then it’s a recipe for disaster.

The Electronic Frontier Foundation has a different concern. It says, according to CNet’s headline, We’re concerned about Google’s Omnibox. There’s a privacy issue because anything you type in gets sent back to the Google mothership, and it’s storing some of it. The ways to avoid that include (1) turn off auto-suggest; or (2) use a default search engine that isn’t Google; or (3) use porn mode. Any one will do.

Sorry, I forgot to include the (mercifully short) story of the day: you can crash Chrome by typing :% in the address bar. I expect someone will figure out how to crash it remotely, if they haven’t already done so….

According to Google their browser is supposed to “make the web faster, safer, and easier”. Safer? Really? Funny I just switched my default search engine from Google to Live Search as I mentioned in yesterday’s blog article Goodbye Google, Hello Live Search!. And no I didn’t do it because of privacy concerns, I did it because I liked Live Search better.

Print 🖨