You are currently viewing Google apologizes after passwords disappear for 15 million Windows users

Google apologizes after passwords disappear for 15 million Windows users

Updated 07/28 with news about Google authentication protection, which also disappeared recently.

Google said it was sorry after a bug prevented a significant number of Windows users from finding or saving their passwords. The problem, which Google noted began on July 24 and lasted nearly 18 hours before being fixed on July 25, was due to a “change in product behavior without proper feature protection,” an excuse that may sound familiar to anyone caught in a CrowdStrike Outage this month.

The disappearing password issue has affected Chrome web browser users worldwide, leaving them unable to find already saved passwords using Chrome’s password manager. Newly saved passwords were also made invisible to affected users. Google, which has already fixed the problem, said the problem is limited to the M127 version of the Chrome browser on the Windows platform.

ForbesA new warning for the Chrome browser has been confirmed as Google scans encrypted files

How many Google users were affected by the Chrome Disappearing Password Act?

It is difficult to determine the exact number of users who will be affected by the disappearance of Google’s password manager. However, working on the basis that there are more than 3 billion users of the Chrome web browser, with Windows users accounting for the vast majority of them, it is possible to arrive at an approximate number. Google said 25% of its user base saw the configuration change, which I estimate is about 750 million. Of those, about 2%, according to Google’s estimate, are affected by the password manager issue. That means around 15 million users have seen their passwords disappear into thin air.

Chrome’s password manager break is now fully fixed

Google said a workaround was provided at the time, which involved the particularly user-inconvenient process of starting the Chrome browser with the command-line flag “—enable-features=SkipUndecryptablePasswords.” Fortunately, the full fix now released simply requires users to restart their Chrome browser to take effect. Thanking users for their patience, Google said that “We apologize for the inconvenience this service interruption may have caused.” Any Chrome users who have experienced an impact beyond what’s described should, Google said, contact Google Workspace support.

ForbesGmail users are offered a free top-level security upgrade – say goodbye to 2FA

Maybe keeping all your password eggs in one browser basket isn’t a good idea

Google Chrome version 127 was released to fix a total of 24 security issues, but the password manager issue was not one of them. As I’ve often said and will say again, maintaining a dedicated password management application makes the most sense from a strict security perspective. While the browser-based solution serves the ease-of-use element, having all your eggs in one basket when things go wrong, as they did here, albeit for a relatively short time, is never a good idea.

Passwords aren’t the only Google security measure to disappear recently

According to renowned investigative cybersecurity reporter Brian Krebs, passwords aren’t the only thing Google users have seen disappearing recently: the email confirmation when creating a new Google Workspace account has also disappeared for some users. The authentication issue, also now fixed by Google, allowed bad actors to “bypass the email verification required to create a Google Workspace account,” Krebs said, allowing them to “impersonate the owner of a domain on third-party services.” . That representation meant such a person could then log into third-party services, including a Dropbox account, according to the person who initially contacted Krebs.

The problem seems to be related to the free trials that Google Workspace offers, which allow access to services like Google Docs, for example. However, Gmail is only available to existing users who can verify their control of the associated domain name. Or at least that’s what was supposed to happen. Instead, it appears that an attacker can effectively bypass the validation process entirely. Anu Yamunan, director of abuse protection and safety at Google Workspace, told Krebs that several thousand such accounts without verified domains were created before the patch was implemented. A patch should be said to have been made within 72 hours of the vulnerability being reported. It is understood that none of the domains have previously been associated with Workspace accounts or services. “The tactic here was to create a specially crafted request by a bad actor to bypass email verification during the registration process,” Yamunan said.

I’ve reached out to Google for further comment.

Leave a Reply