5

I've recently uploaded all the family photos to my Google Drive account. I have a strong password and 2 step verification enabled on my Google account. My home computer is (naturally) trusted and logged in to said account.

Would it be possible for someone to "access" my Google session in Chrome and thereby my photos when my home computer was logged out or locked? For example if it was stolen.

Thomas Jensen
  • 189
  • 6

3 Answers3

4

If your hard drive wasn't encrypted, someone could access your hard drive and view the cookies used for authentication, and bypass 2 factor.

makerofthings7
  • 50,918
  • 55
  • 261
  • 556
  • 4
    Chrome's cookies are encrypted using the Windows Data Protection API (assuming Windows). I'm not sure for other OSs. This means any bypass of the authentication scheme (e.g. resetting the Windows password or trying to access the cookie database file directly) will not result in direct access to the Google account protected by the cookie. – SilverlightFox Jul 11 '15 at 15:42
  • @SilverlightFox, See caveat: http://security.stackexchange.com/questions/93540/is-my-google-session-safe-when-my-computer-is-logged-out-or-locked/93687#comment183797_93687 – Pacerier Nov 11 '15 at 00:49
3

Anyone who can access your computer and open the browser, can access your google account. But you can revoke the access from the machine any time you want via this link from any other device/PC.

Just go to " Registered computers" and then "change settings" ( i did a translate from my native language to what would be on English )

You will be logged out from other devices, and they will ask for a code again.

Freedo
  • 2,273
  • 5
  • 20
  • 29
3

Quite safe*, discounting any cold boot attack or any vulnerability that allows bypass of the OS's lock screen.

Chrome encrypts its cookies, using a password based encryption scheme. In Windows, this is based upon the Data Protection API. This means that anyone who gains access to the laptop by either changing the Windows password using a tool such as chntpw, or if they try to access the hard drive from another operating system to get access to the cookie DB, they will not be able to easily extract your session cookies with Google. So while there are various methods of bypassing the Windows login screen, without the password being available in memory to decrypt Chrome's cookies, this does not really aid an attacker.

There are also implementations for Linux and OS X. See also: Key for chromium's encrypted cookies store in Linux is "peanuts" [no longer].

Of course, at the end of the day this will employ Password Based Encryption of the cookie data. So make sure that your logon account is protected by a strong password with enough entropy to give you enough time to logout other sessions using another device before your OS password can be cracked. If your password has 64 bits of entropy or more, you will only have the insurance claim for the laptop to worry about.

* as said in my answer - only as safe as your password is secure.

Community
  • 1
SilverlightFox
  • 34,178
  • 6
  • 73
  • 190
  • " This will only protect the cookies of a system user from the access by other users on the same system. So, if you will hand over your user account logged-in to an attacker, one can still access your cookies in plain text. " From your link...so this still gets to " anyone who can access your account and open the browser, can log in your accounts" – Freedo Jul 11 '15 at 22:21
  • Accepted. But how can they access your account if it is logged out of or locked? – SilverlightFox Jul 11 '15 at 22:23
  • 1
    Weak password...bypassing the login completely(common this is fairly easy for Windows) and exploits to gain more privileges (privilege escalation) and i'm very skeptical of this feature from google...i mean they must have the key somewhere, and the cookies must be decrypted at run time. It's the classical problem of preventing the client to modify the client-side software – Freedo Jul 11 '15 at 22:29
  • Yep, weak passwords are covered in my answer. Typically privilege escalation on Windows results in STSTEM access, not an individual user account. Besides, without the target users password being available, the encrypted cookie db cannot be decrypted. – SilverlightFox Jul 11 '15 at 22:32
  • Well if you gave me a locked OS with Windows to this attack i would try to bypass the login using one of various methods out there. Log in as the user and open the browser and...i'm on all his accounts . – Freedo Jul 11 '15 at 23:40
  • @SilverlightFox, The huge elephant in the room is that almost no one uses a strong password for Windows local account...... so it wouldn't take more than 5 hours of bruteforcing. – Pacerier Nov 11 '15 at 00:48
  • @Pacerier: It's not an elephant in the room - I cover this in my answer: "So make sure that your logon account is protected by a strong password with enough entropy to give you enough time to logout other sessions using another device before your OS password can be cracked". – SilverlightFox Nov 11 '15 at 11:25
  • @SilverlightFox, Yes I saw that. I meant, people don't usually set strong local passwords anyway. – Pacerier Nov 12 '15 at 02:22