Google Chrome 79 Comes with Two Major Password Security Features and a Massive Bug on Android

Chrome 79's Security Features and Android Bug

Last week, Google announced the rollout of Chrome 79. With it, the browser vendor introduced a couple of new features that are supposed to help users have a safer online experience, and the PR people were hoping that the new additions will be well received. Instead, however, for the last week or so, most of the discussion related to Chrome 79 has revolved around a rather serious bug that caused quite a few headaches not only for Google but for many Android users and app developers. Before we get to it, however, let's talk about Chrome's new security features.

Chrome knows if you're using a breached password

It must be said that the first new feature isn't actually that new. Google integrated it into the Password Checkup Chrome extension that appeared earlier this year.

Password Checkup sounds like nothing more than a glorified password strength meter, but it's actually a bit more than that. The idea is that it checks each and every one of the passwords you're using against a corpus of breached login credentials. If it finds a match, it will alert you to it, and it will advise you to change the compromised password.

It's hardly a ground-breaking idea. Troy Hunt has had a similar service for a while now, and even the US National Institute of Standards and Technology (NIST) has said that implementing similar alerts is a good idea because a compromised password is, arguably, even more dangerous than an easy-to-guess one. Most likely because of this, Google decided to integrate the checkup directly into the browser. Users who have updated to the latest Chrome version no longer need to use Google's extension.

Obviously, some people might have privacy concerns. After all, Google promises that it will tell you if the password you're using has been breached. How is it going to do that if it doesn't see your password? The answer is "encryption."

When Chrome 79 was launched, Google said that whenever its security team locates login credentials leaked from an online service, it uses a complicated process to create "hashed and encrypted " copies of the passwords which are then stored on its servers. The same process hashes and encrypts your password when you enter it, and the result is checked against Google's database. Thanks to this, Google can't see your plaintext password, but it can tell you if it has been leaked in the past.

Chrome is not really holding the pioneer's torch in this particular field. Several months ago, Mozilla integrated Troy Hunt's API into Firefox. At close to 4 billion compromised records, however, the dataset against which Chrome users' passwords are checked is much larger. And in any case, it's good to see that the creator of the world's most popular browser is trying to take care of people's online security. Speaking of which, the second feature Google introduced with Chrome 79 could also be rather useful.

Chrome gets enhanced phishing protection

For years, Chrome has relied on Google's Safe Browsing API to flag phishing and dangerous websites. In simple terms, the browser would check every URL you visit against a list of known phishing pages, and if it thinks that you're about to be tricked by scammers, it would display a big red warning. New URLs are added to the Safe Browsing list of phishing pages all the time, and Chrome downloads an updated version of it every half an hour. Historically, this has helped people keep up with the crooks, but as it turns out, it's no longer enough. Chrome's developers have noticed that phishers have recently started changing domains and URLs more frequently, which means that quite often, the 30-minute delay could be fatal.

To combat this, Chrome's new version now offers a more advanced, nearly real-time phishing protection, which is supposed to result in a whopping 30% more warnings and quite a lot fewer phished login credentials. If you enable the new feature, Google will need to go through the URLs you visit, but it said that there's nothing to worry about because all the data will be anonymized.

All this was good news, and it's fair to say that at least some of the users were eagerly anticipating the launch of Chrome 79. Those with Android devices, however, were in for a bit of a surprise.

The new Chrome version broke quite a few Android applications

Shortly after the update was announced, Android users started complaining that something was not right. All of a sudden, they found that some of the apps on their devices had been reset. They had been automatically logged out of their accounts, and their personal settings had been overwritten. Naturally enough, people first contacted the apps' developers who were completely dumbfounded by the problem because it wasn't caused by any changes they had made.

Eventually, the culprit was found – it was Google's newly updated browser. All affected applications were running on top of Android's WebView – a simplified version of Chrome, which makes it easier to transfer the functionality of a web application that is normally viewed through a browser to a standalone Android app. These apps store information like cached files, and session cookies, and Chrome 79 changed the location of that data. As a result, the apps could no longer find users' old settings and files, and they went back into their default mode. For some applications, the functionality was seriously affected, and, not surprisingly, the negative reviews arrived pretty quickly.

The bug caused a fair bit of confusion. Some people even thought that the data had been irretrievably lost. Thankfully, Chrome's dev team knew that this wasn't the case, and earlier today, they announced that people should be expecting a fix very soon. Chrome 79.0.3945.93 reverts the changes that caused the bug, and after people update their browser, their apps should start working as expected again. Developers of the affected applications don't need to do anything.

On the face of it, at least, fixing the bug didn't seem too complicated. The patch did take Google some time, though, and the damage that app developers, in particular, suffered during it was not insignificant. So much so, that it managed to overshadow Chrome 79's new password checkup and phishing protection features. Here's hoping that similar incidents are fewer and farther in between in the future.

December 19, 2019

Leave a Reply