This is an open letter to Steve Gibson of grc.com, author of many books and articles, and co-host with Leo LaPorte of “Security Now”, a TWIT network podcast on computer and Internet security.
I am posting this to provide a relevant, real-world case regarding a topic in episode 692 of “Security Now”, “SNI Encryption” https://twit.tv/shows/security-now/episodes/682?autostart=false.
I operate a small, two man IT support and Managed Service Provider business in central New Hampshire. This post is in the blog section of my website. You will see that my website is on Squarespace, and this is primarily a personal, consultative business for small business owners.
Yesterday, I took a support call from a long-standing medical client who was having trouble using a cash management system in conjunction with their company financial software package. It turned out that the problem was not something that I could help them with, but rather a matter for their accountant or service provider.
While I was working with the clinic manager in a remote assistance session, viewing and operating her computer desktop remotely, I noticed that she was using Google Chrome, and that there was an unusual icon in the upper right-hand corner of her browser window. I checked, and the icon was the image upload for a Google account ID that Chrome was logged into. I clicked on the icon, and the identity that came up was the business name of a competing medical clinic. I asked the clinic manager how the ID came to be there, and she replied in very anxious tones that she had no idea. She is not technical at all, but rather a very responsible administrator who can follow clearly documented procedures to the letter, but does not have much depth of perspective on most computer and Internet technology. She did not know what a Google account was, nor did she know that Chrome could be associated with a Google account and logged into.
As you can imagine, I became alarmed at this discovery, because if there had been some deliberate corporate espionage done against this person’s computer, this manager’s Chrome settings could easily be exfiltrated to another device logged in under the same account. Fortunately, the user was very clear that she never allows Chrome to retain user accounts and passwords to autofill login forms. She always responds “never” when prompted to save a password for a website, so I think that in this case, she is in the clear.
So, you can imagine my surprise when I caught up with my Security Now podcasts today, and you were discussing Matthew Green’s post about Chrome version 69, and Google’s decision to automatically log users into Chrome after logging into any Google service (https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/). However it came to be that my client became logged into a competing clinic’s Google account, and there are plausible explanations that do not involve corporate espionage, a few things are clear:
My client had no understanding of what was going on.
Exfiltration of credentials could have persisted for an indefinite period of time.
Had an attacker wanted to exploit the access to the financial and medical web accounts that this manager was using, an amazing amount of damage could have been done to the business. It could truly have been an existential threat.
Since the user had not stored any passwords in their Chrome browser, I preemptively logged the browser out of the account, and I am taking measures to ensure that other Chrome users in the business will be prevented from using personal Google accounts on their work computers. If we had chosen to do forensics and investigation, the cost of that process could have mounted up fairly quickly.
Thanks again for your great and tireless work keeping the public informed on this complex and tricky subject area. I love the show, and I am a loyal SpinRite user for many years.
Nate Abbott, Abbott Business Networks, LLC