Should we change all our passwords? #1310
Comments
|
@deanoemcke and others have been integrating a closed-source library that tracks user information going all the way back to May of last year -- #1147
I tried warning others about this and was harassed. Google didn't know until just recently when several security blogs covered it -- it's been going on for months at this point. |
|
Google and other browsers need to seriously reconsider how this could fly under the radar for so many months. What if some of the largest extensions do this, uBlock Origin or some such? It's ridiculous that it took them this long, and when they did finally remove it they nuked it rather than revert to an earlier version. Some analysis on what kinds of data it was collecting would help. Do we need to change passwords? Was it sending raw data like history and keystrokes to remote servers? |
|
I didn't have anyone try logging into my Google account, so I don't think it's so bad |
Could you stop spamming, its happened now let people figure out what the to do about it FFS |
Okay, but understand that it goes back quite awhile and so the scope of what might have been exposed is quite large by this point... |
This can happen years down the line. Using the captured data too soon can compromise the source of the data (i.e. people will become suspicious and that can sound off alarms as to where the data came from), ofc they're also not going to hold onto it forever either. To answer OP: yes, I think you should start rotating your passwords (although this is already considered a good practice to do every few months anyway). You don't need to change every password at once, but yes, I would start using some kind of password manager (there's tons of them out there, most likely whatever you use has 2FA anyway) and start changing passwords one at a time. |
This was down to the subreddit been made aware and reports that it abused google policies. |
|
Should we change all our passwords?
|
|
Does Chrome browser allow extension the access to password data stored in the browser? If not, than no need to change passwords, I think. Maybe someone familiar with Chrome extension development knows the answer? |
no, in this case changing your password is the best thing to do. Off topic: even with 2FA on the account there's no guarantee the google account will be protected. Discord users had the accounts stolen even with 2FA enabled. |
Could you elaborate? Aside from my router's default password, I do not have any compromised password according to Google's "Check passwords" feature. |
It still a good idea to change the passwords. |
I believe Google is pulling this information from previous breaches. A number of my passwords are being reported by Chrome, but they are from some known breached like those that can be found on haveibeenpwned. |
This is what this mechanism is about, it will be different for each person :) |
In a dormant state, extensions can't access Chrome's password storage system without interactive authentication (e.g. asking for a password). However, the websites you visit and allow Chrome to auto-fill credentials might allow third-party extensions to exfiltrate passwords from web forms using plain JavaScript. Since (by default) we allow TGS full access to every site we visit ("Allow this extension to read and change all your data on websites you visit") then any site you recently auto-filled with the vulnerable version of TGS actively running on your system has potentially captured your credentials. Since we don't know for sure what has actually been done, that only leaves everyone one option: change your passwords in case. As someone who has over 1,500+ passwords saved into Chrome, looks like my upcoming weekend has already been planned out for me (even if I downgraded to my own copy of TGS 7.1.6 back in November 25th, 2020). Side note for users who plan on not taking any action and simply relying on Chrome to alert them about leaked passwords: if you actually get this alarm, it means you're probably screwed and most likely too late to do anything about the breach you now have to clean up. |
|
I have no concrete proof that the two are related, but you may find my recent security breach to be of interest. I wrote about it here: #1307 (comment) |
@mike9k1 well done for spotting when you did. Sorry to hear you werent taken seriously. Good lessions can be learned the hard way |
|
@tris543 , actually, it's pure coincidence that he was "right" in retrospect. see my comment on the other issue. |
@ossilator i did read it and understand that tracking was implemented before. If someone is saying something about a malicious content. I dont think its a joking matter and investigating is always and should be the best course of action. That investigating has happened way too late and the victim number was 2,000,000+ that was the number of google users that downloaded the extension. I really believe this could had been advoided. I thank you for the reply. |
So the extension got removed from the store for malware. If the extension really had malware in it, why didn't Google remove it sooner???
The text was updated successfully, but these errors were encountered: