Site icon TechRound

Google Locked Users Out Due To A Bug On Windows Devices

On July 24, 2024, Google experienced a bug that affected Chrome Browser users around the world. The issue prevented users from accessing or saving passwords using the Chrome Password Manager for nearly 18 hours, and was was traced to the M127 version of the Chrome Browser on Windows platforms.

Google identified the problem as a change in product behaviour that lacked proper safety precautions. Engineers quickly rolled out a fix, advising users to restart their browsers to resolve the problem.

In response to these incidents, Google has reaffirmed its plans to protect user data and improving security measures, so this doesn’t happen again. The company is working closely with cybersecurity experts to analyse the incidents and refine its security protocols.
 

What Did This Teach Users On Password Safety?

 
Chelsea Hopkins, Social Media and PR Manager at Fasthosts commented, “This Google error has been a lesson in proper password management, especially for smaller businesses who may have the vast majority if not all of their passwords saved exclusively in Google Password Manager.”

This bug comes not long after the global Crowdstrike/Microsoft outage. Whether or not they are linked, they both remind us that the digital world will also have setbacks, and that cybersecurity is more important than ever.

Hopkins commented, “This “outage” is also a point in favour of passwordless accounts, something which Google themselves are promoting and are in fact already using as the default option for new personal Google accounts. This new method of authentication links your device to the account you’re trying to access, skipping the need for passwords entirely.

“A passkey is created for your device which is stored locally and heavily encrypted, making it extremely secure, and you’ll only need to use your already existing pin, FaceID, or fingerprint scan to log in to all of your accounts. Businesses large and small should definitely be looking into switching to passwordless options, and this latest Google error should be your wake-up call to do so.”
 

Google Workspace Authentication Flaw

 
In a separate incident, Google Workspace faced a security flaw that allowed unauthorised account creation without email verification. This flaw let attackers impersonate legitimate domain owners and gain access to third-party services integrated with Google’s authentication system. The breach was identified after a user reported an unauthorised Workspace account creation. Google said, “In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request.

“These EV users could then be used to gain access to third-party applications using “Sign In with Google”. Within 72 hours of discovery, Google fixed the issue. We have subsequently added additional detection to protect against such malicious activities.”
 

 

Password Managers For Safety

 
Google does have a password manager, so a further step to take is to refrain from storing all passwords in one place. Using 2 or 3 password managers, like 1Password and NordPass, help safely store passwords without having to rely on one manager.

Tim Hall, CTO at managed IT services provider Boxxe advised, “Remembering lots of passwords and making sure they’re strong is hard work, but using a Password Manager can cut the number of passwords you have to remember to just one.

“The Password Manager will handle the rest, from coming up with new passwords that are long and cryptic, to storing them securely online, and auto-filling them on forms when you need them.

“Even if a hacker does gain access to your password through a breach, two factor authentication will keep them out of your account by requiring a second form of identification.

“This can be in the form of SMS, email and app-generated codes, or biometric verification through fingerprint for example.

“While it does make the sign-in process longer, this is a vital safeguard. You should always look to enable this feature on your most important online accounts, such as email, online banking and cloud backup services.”
 

How Can Startups Stay Protected?

 
Startups need to make sure their sensitive data is safe. Ev Kontsevoy, CEO at Teleport, on cybersecurity measures for startups’ passwords: “Generally speaking, any startup wanting to protect the data in their applications and modern infrastructure should not use passwords, or really any outdated static credentials for identity authentication, including browser cookies, API keys, etc.

“A lot of attention gets paid to software vulnerabilities, but most successful data breaches still come from social engineering and phishing attacks. If one engineer makes a mistake and a password ends up in the wrong place, that’s an open door for a hacker to access a company’s infrastructure and pivot laterally across different parts without anyone knowing otherwise.”

“A more secure approach is to instead base employees’ identities on real world attributes. Effectively, this means an employee’s identity becomes based on the sum of their biometrics, the hardware identity of their machine, and a PIN code.

“That should be the basis of what companies use for authentication and authorisation. There are already examples of this in some technology ecosystems. For example, to download an app on the iPhone, you need 1) facial recognition, 2) device recognition, and 3) your Apple ID code. The time has come to implement these principles in modern infrastructure in order to better protect sensitive data.”

Exit mobile version