Chromebook bug could let someone see where you’ve been in the real world

Chromebook
(Image credit: CC Photo Labs / Shutterstock)

Chromebooks have an apparently serious security flaw which can allow a snooper to see the location history of where the device has been – and therefore (presumably) where you’ve visited – in the past week.

Getting this info involves logging into the device in guest mode when the Chromebook is first turned on, which anyone can do (providing it hasn’t been disabled). The whole point of this mode is that it allows guests to use the device to browse the web without knowing the laptop’s password.

Unfortunately, when in guest mode on Chrome OS, there’s a security issue which a snooper can leverage to discover your location history. Namely, Wi-Fi logs are accessible and unprotected in local storage in guest mode, and that includes logs pertaining to the password-protected accounts on the system.

While those logs may be gobbledygook to the average user, somebody who knows what they’re doing can find out the history of which Wi-Fi networks the computer has been connected to – and therefore, with a bit of extra work, the locations where the laptop has been. The aforementioned logs could contain details of location history going back up to a week.

While a password isn’t required to exploit this bug, the perpetrator needs to be able to physically access the Chromebook when the owner isn’t there to be able to extract those location details.

Guest who?

As The Verge, which reported on this, points out, these kind of location details may not be of any particular interest to the typical cyber-criminal, but they could be to tech-savvy people close to Chromebook owners – the likes of spouses or work colleagues – who might want to surreptitiously check up on where the owner has been.

Google has acknowledged this, and said it’s looking into the issue, so hopefully we’ll hear more from the firm soon. Meantime, Google has advised that users who are concerned about any possible security risks can turn off guest mode if they wish.

To do this, when logged into your (owner) account (and not guest mode), go to ‘Settings’ (click on the clock, bottom-right, and then on the ‘Settings’ gear cog at the top of the panel that pops up).

Click on ‘People’ in the menu on the left side panel, and then on the right, click ‘Manage other people’. Here you’ll find a slider to ‘Enable Guest Browsing’, so simply turn this off – but obviously bear in mind that now, people won’t be able to use guest mode with the device at all, whether they have snooping intentions or not.

TOPICS

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).