Whenever someone reports a vulnerability that requires local access to a system, a discussion erupts about whether that is really a vulnerability that needs fixing.

One side argues that it is, considering that there are numerous ways that someone could gain local access to a device. The other side argues that it is not, as an attacker can do anything on the machine anyway with local access (at the user's level).

A issue in Chrome was revealed recently by Lior Margalit on Medium that allows anyone with local access to a system running Chrome to steal saved data from the user account.

A prerequisite to that is that the actual user needs to be signed in to a Google account. If that is the case, an attacker can use the method to steal any sync data from the account including passwords, form field data, bookmarks, or the browsing history.

The problematic thing about this is that this requires no authorization whatsoever. Basically, what the attacker needs to do is sign out the actual user, and sign in using a different Chrome account. Chrome displays a prompt then to add the user's bookmarks, history, passwords and other settings to the new account.

Since the data is synced to the new account, it is now possible to access all stored data, e.g. passwords on chrome://settings/?search=password on any device you sign in with that new account. The process itself takes less than a minute to complete

Lior reported the issue to Google and received a "won't fix" response by the company according to the article.

The process in its entirety:

1. Go to chrome://settings/manageProfile.
2. Click on "edit person".
3. Select "sign out".
4. Click on "sign in".
5. Sign in using a different Google account.
6. Select "this was me" when asked about the previous Google user who used Chrome on the machine.
7. The data is synced to the selected account.
8. Go to chrome://settings/?search=password to browse passwords on any machine running Chrome provided that you are signed in with the new account.

The whole process won't take longer than a minute to complete.

Closing Words

The best protection against the issue is to never leave your device without shutting it down or locking it. Another option that you have is to not sign in using a Google account. This reduces functionality however and some users may not want to do this.

There are other means to steal data from a device if local access is available. Nothing's stopping a user from opening the password listing in Chrome directly for instance

I think that Google should add a fail safe to the process, for instance by asking the user to enter the password of the other account to proceed with the merging of data.