Eli, Sabine: Please take a look at this cross sync issue.

treib@ for triage and investigation.

Okay, here's what probably happened: When you turned off Sync for your girlfriend's account, all the existing data (bookmarks, passwords, ...) was left behind. (That's the default, though the "turn off Sync" dialog does offer a checkbox to clear it all.)
Then when you signed in with your own account, all the local data got uploaded to your account.

What's surprising to me is that we have checks in place to prevent this from happening accidentally: When signing in with the second account, there should be a dialog which looks like this:

first.user@gmail.com was previously using Chrome
- This wasn't me, create a new profile for second.user@gmail.com.
- This was me, add my bookmarks, passwords, and other settings to second.user@gmail.com.

Only if you choose the second option (which is *not* the default) will we merge the data.
Did this dialog not show up for you? Or if it did, why did you choose the second option?

I didn't turn off Sync for her account, I just logged her out. And no, that
dialog did not show up.

ma 22. lokak. 2018 klo 17.14 tr… via monorail <
monorail+v2.3203352690@chromium.org> kirjoitti:

Could you describe the exact steps you followed? E.g. there are at least two ways to log out which are quite different:
a) Via the web (gmail, youtube, etc) - after that, Sync will still be enabled, but in a "paused" state. It shouldn't be possible to start syncing to a different account from this state.
b) Via the "Turn off" button in Chrome settings under "People". That will actually disable Sync, and afterwards you can sign in and enable Sync again with a different account, but then the warning dialog should show up.

Thanks!

I logged her out via the web: I opened her Chrome which opened the home
page (Google Search) she has chosen in Chrome settings. Her Google account
was obviously automatically logged in, so I just pressed the icon in the up
right corner of the page and pressed "Sign out".

ma 22. lokak. 2018 klo 19.28 tr… via monorail <
monorail+v2.3203352690@chromium.org> kirjoitti:

In response to c#3-7: I believe from the original description that the girlfriend had never opted into sync on her laptop. This looks like a case where all of the girlfriend's bookmarks and passwords were only saved locally on that laptop, and had not been synced to her account. When the reporter signed into the girlfriend's laptop and turned on sync, there was no warning dialogue because no account had previously been syncing in that profile.

kaner...@: can you please confirm that when you turned on sync from Chrome settings on your girlfriend's laptop, you were presented with a screen that looks like the attached image? That dialogue is shown whenever you turn on sync, to warn you that doing so will synchronize all of your bookmarks, history, and passwords from your device to your Google Account. Do you remember seeing that dialogue? Were there parts of it you found confusing or unclear?

Deleted: Screen Shot 2018-10-22 at 10.58.59 AM.png 72.5 KB

	Screen Shot 2018-10-22 at 10.58.59 AM.png 72.5 KB View Download

Yes, that was the screen I was presented. The wording is a bit confusing.
It says "Your bookmarks, history, passwords, and other settings will be
synced to your Google Account so you can use them on all your devices". The
sentence uses now the word "your" in a two different meanings. I was
syncing MY account and the wording refers that MY bookmarks etc. will be
synced. In reality, the bookmarks etc. that were synced weren't mine ->
they were the ones that were saved (apparently) locally on the laptop. So
the first "your" -word didn't actually mean your (or in this case my). It
means that the bookmarks etc. from this Chrome (or laptop) you are
currently using will be synced to your account. That is confusing. So this
word shouldn't be "your". The second "your" -word is correct because you
are syncing the bookmarks etc. precisely to YOUR account.

So, if the bookmarks and passwords were saved only locally on the laptop,
don't have an other issue here? When people for example put username and
password in some webpage, Google asks if you like to save the password,
right? Then the person (for example my girlfriend in this case) presses
"yes, save the password". How in the world could she know that the password
will be saved only locally if the sync is off. Most of the people don't
probably even know that there exists a feature called Chrome Sync. However,
if this is the case that passwords are only saved locally if sync is off
(when they can be stolen by anyone with a Google Account), Google should
notify the user for example "Your Google Sync is off, your password will be
only saved locally. To turn Google Sync on, please go to Settings" or
something like that. This is an actual issue because people trust Google
when saving passwords. They trust that when saving passwords to Google no
one will be able to see the passwords except the person who saved them.
This can't depend on if some setting is on or off. Google should warn that
your passwords can be seen if you don't turn your Google Sync on.

ma 22. lokak. 2018 klo 21.00 ew… via monorail <
monorail+v2.1048604832@chromium.org> kirjoitti:

Thank you for the feedback. I'll address a couple of the specific points you raised, and then let the PM for the sync and passwords teams (cc'ed here) chime in as well.

Whether or not you have turned on Chrome sync, passwords that you enter on some webpage and then save with Chrome can be seen and accessed by anyone else using the device. Even if your girlfriend had Chrome sync turned on, you could have still synced her passwords to your account by first turning off Chrome sync for her account and then turning on Chrome sync for your account. In general, Chrome does not consider "local attackers" a part of its threat model, because there is no way for Chrome to defend against a malicious user with access to the target's machine from accessing that information. Please see here for a reference on why local attackers are not a part of our thread model: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model. So prompting the user to turn on Chrome sync when they save a password does not actually provide any extra protection.

With respect to the first "your": I understand your point of view. Unfortunately, it's a tricky problem. In general, we assume that most users turning on sync are on their own devices (since sync is typically something that you would only enable on your own device), so the "your" is referring to *your* Chrome data on this device. We are in the process of re-working this dialogue right now though, and this wording is going to change anyways. In the new version, it should be more clear what's happening.

Again, I'm sorry that you encountered this issue, and we appreciate your feedback. I will leave it to sab@ to determine whether we should take any other action before closing this issue out.

Thanks for the answers. Glad to see that this raised some actions on your
side. However, I still think that this case proves that you should enhance
Chrome Sync and passwords security. Am I entitled to a reward?

ma 22. lokak. 2018 klo 23.17 ew… via monorail <
monorail+v2.1048604832@chromium.org> kirjoitti:

As far as I know, there are rewards only for *security* bugs, see here: https://www.google.com/about/appsecurity/chrome-rewards/

So, while Chrome could maybe do better here in terms of privacy/UI, and helping you to avoid doing this *accidentally*, per the link ewald posted above, this is *not* a security issue so it won't qualify for a reward. Sorry!