My Photo

About

My Books

  • Professional Web 2.0
  • Professional Ajax
  • Beginning XML

Organisations

  • Institution of Analysts and Programmers

« Coincidence, I Don't Think So | Main | A Not So Distant Echo »

Chrome browser: a cautionary tale

InsecureComputerAs my many readers know I don't often do techie posts but I felt this story deserved wider readership as a cautionary tale.
 
A friend of mine, let's call her Alice had a problem with her laptop and borrowed one from another friend, Bob. The laptop was running Windows 7 and Bob, who should have really known better as they were a professional IT guy, didn't bother to create a new profile for Alice but just handed over their password.
Alice was used to using Chrome as she used Gmail, Google Apps etc., and promptly installed it. They used the laptop for a few weeks until their new one arrived and often took advantage of Chrome's offer to save form data such as passwords. Again, probably a bad idea but she had a plan. When the time came to return the laptop she uninstalled Chrome and expected that her form data would disappear with it.
However, Bob now decided that he wanted Chrome and installed it, as he began to use it he noticed how many sites had saved passwords and discovered that all of Alice's data had been restored. This gave him access to email and many other sites although a few, such as banks, were protected by two-factor authentication (this is where you need to provide a second credential such as a password created on your mobile or from a dedicated device the bank has given you).
 
Nothing earth-shattering and all easily avoidable but just goes to show how you can be caught out even though you thought you were doing the right thing, in this case uninstalling a program.
 
Errors made along the way with my scale of insecurity out of ten, ten being very insecure:
  • Not creating a new profile and giving someone your password (Bob 10)
  • Not creating a new profile on a borrowed machine (Alice 8)
  • Letting Chrome remember stuff on someone else's machine, rather than use a proper password manager such as LastPass (Alice 9)
  • Not checking that data had been removed after the install (Alice 5)
 
Recommendations:
  • Set up two-factor authentication for email (and other key sites), it's easy to use and well worth the thirty minutes it takes to set up and the slight inconvenience
  • Do not hand out your account password, even to friends (and do have a password protecting your machine!)

June 13, 2016 in Web/Tech |

Comments