A behavior built-in to Chromebooks that Google has known about for quite some time has been revealed to be potentially exploitable. First reported by the Committee on Liberatory Information Technology to The Verge, the bug allows for anyone who has physical access to your device to enter via guest mode and access your Wi-Fi logs. Once they’ve done so, they would then need to be technically skilled enough to decipher the logs and make sense of them. If they can do both of these things and have a desire to track your physical location, they may be able to do so by seeing exactly which Wi-Fi networks you’ve accessed over the past 7 days!
The bug is possible because of how your Chromebook openly displays its communications with the internet as an informational tool to the user. I’m not certain if this was meant to be, or if Google simply used it for testing, but because it’s only possible to execute on this via guest mode, I imagine it’s either something the company thought was non-consequential or simply put on the backburner to fix. A Google spokesperson told The Verge that they’re “looking into this issue”.
In the meantime, users can simply disable guest browsing mode on their devices. I would argue that most users have probably hardly ever – if ever – used this feature, to begin with, and should disable it the moment they purchase their Chromebooks. If you’re required to share your device with anyone, have them sign in to their own Google account as a separate user from the lock screen and then back out again when they’re finished. Once they are, in fact, done, click the dropdown arrow next to their name on the lock screen and remove them from the device altogether.
In order to disable guest browsing mode on your Chromebook, simply follow the steps below and you’ll no longer have to concern yourself with this completely ridiculous bug that, in my opinion, has no business existing:
- Tap the ‘Everything button’ on your keyboard and type ‘Settings’
- Click the ‘Settings’ app to open it
- In the left sidebar, visit the ‘People’ section and then ‘Manage other people’
- Turn off ‘Enable Guest browsing’
If your device has been updated to show the ‘Accounts’ section on the left sidebar of the Settings app instead of ‘People’, then you’ll instead need to click on that in order to access the ‘Manage other people’ section. Once there, you can toggle the ‘Enable Guest browsing’ switch to turn it off.
I also recommend going a step further to toggle ‘Restrict sign-in to the following users:’ in the same section. If you’re the only one who uses your Chromebook and you have multiple Google accounts, just turn this setting on, and click ‘Add user’ below this to add more email addresses that you would like to allow the ability to sign in to your Chromebook. Once this is enabled and set up, no one will be able to enter your device via guest mode, and no one will be able to sign in to your device with any other email address whatsoever (unless they’re on this list!)
The Committee on Liberatory Information Technology was formed by a handful of ex-Googlers, so if anyone outside of Google knows what could be a potential threat to your security, it’s likely these guys. I’m all for checks and balances, and I believe that we as consumers ought to be well-informed on issues like this, just as I stated in my observations on privacy, convenience, and the state of compassion.
I can only hope that Google begins to patch these sorts of issues well before they come to light via a third-party. I won’t lie – I’m pretty disappointed that the company knew about this all this time and has done nothing about it. I would rather Chromebooks continue to be secure than for them to continue to receive polish and fun features. Let’s continue this conversation in the comments below!