Chrome Caught Exempting Google Sites From User Requests To Delete Data

This week the Verge reported: If you ask Chrome to delete all cookies and site data whenever you quit the browser, it's reasonable to expect that this policy applies to all websites. Recently, though, a bug in the browser meant data wasn't being removed for two sites in particular: Google and YouTube.

This problem was first documented by iOS developer Jeff Johnson on his blog. Johnson found that in Chrome version 86.0.4240.75, "local storage" data for Google.com and YouTube.com stuck around even after restarting the browser. We've been able to replicate similar behavior... The Register notes that Chrome's behavior could allow Google to stash cookie-style data as site data, allowing it to track users even when they think they're being careful by deleting their cookie and site data every time they close the browser.

In a statement, Google said it was aware of the issue and was working on a fix... At least one of the affected sites, YouTube, appears to have already been fixed. After we upgraded the Chrome browser to version 86.0.4240.111, YouTube's local storage data seems to successfully purge after a restart, although the data from Google.com still sticks around.

Don't be evil

[goombah99]

Is actually a shortening of "don't be merely evil".

Re:

[fahrbot-bot]

Is actually a shortening of "don't be merely evil".

I believe their original Mission Statement was, "Don't be Dr. Evil" -- and their second choice was, "Don't be Evel Knievel."

[ Ben Stein: Anyone, anyone? Bueller, Bueller? ]

Re: Don't be evil

[aRTeeNLCH]

Or perhaps: "Don't be evil, unless you can get away with it and it pays really well."

Still using Chrome?

[Anonymous Coward]

It is your own fault then. If you don't ditch the products of the US intelligence services, the products of US intelligence will collect information about you to the extent you make it possible.

Re:Still using Chrome?

[Z00L00K]

I only use Chrome for limited purposes.

The main reason for Google not erasing the data related to Google sites is because they "need" that data to build a profile on you and if that data is erased then you damage their statistics.

Re: Still using Chrome?

[martynhare]

It is actually because they reuse code efficiently for sync and keeping your Google Account logged in. This is a good practice for end users of Google services usually want their sync and other bits to stay working when they clear their data to fix bugs with websites.

There really is nothing interesting to see here. It is by design to benefit people who want to use Google services to the fullest. I am certain they will correct this for people who do not want to use Google Accounts for sync, GMail and ot

"a bug in the browser"

[RitchCraft]

Yeah, ok, sure, whatever.

Re:

[Krishnoid]

No wait, it's fake news! We don't have to fix anything!

Re:"a bug in the browser"

[AmiMoJo]

Lately Google has been making changes to the site storage API that could have triggered this bug. The changes were at the request of add-on developers to bring it up to parity with Firefox.

Previously add-ons could only delete cookies for a site, not other kinds of stored data. The improved API allows everything to be removed. The development history of Cookie AutoDelete charts the changes. So it looks like when they changed the API they broke something as this used to work.

If someone could be bothered to go back and test old versions, and maybe test Chromium as well, they could pinpoint exactly when it happened.

Re:

[WierdUncle]

Yeah, ok, sure, whatever.

From the summary:

In a statement, Google said it was aware of the issue and was working on a fix...

So this happened by accident did it? Like a coding error? If the above is accurate reporting, then Google are really taking the piss. Everything points to Chrome favouring other Google products. That does not happen by accident.

Suggestion

[thegreatbob]

Not that a huge amount of thought ever went into them... but maybe the "rules for thee dept."? Any indication that this was deliberate, beyond the apparently obvious?

Shocking

[NateFromMich]

I'm not even surprised a little bit.

Re:

[Greeneland]

It's just a happy coincidence, I'm sure.

The Monopoly case gets stronger

[Canberra1]

That monopoly case started. Now a lot of un-upgradable Android devices and old browsers will hang about - a massive advantage to the under-investigation monopoly. A lot of that cookie data/history has also helped acquire more data, never mind unique hardware fingerprinting. Are there API calls only some know about? Now what other special conditions exist?

Bug? I think not.

[markdavis]

>"In a statement, Google said it was aware of the issue and was working on a fix..."

Implying it was a bug? And "fixing" it requires any kind of effort??

Exactly how can it delete everything EXCEPT two of Google's most important sites without being intentionally coded that way? Someone caught their secret binary blob doing something bad that Google probably did on purpose. Color me not surprised.

https://www.mozilla.org/en-US/... [mozilla.org]

Re:Bug? I think not.

[khchung]

The bug was letting people find out the cookies were not deleted. After it was "fixed", no one will find out those cookies were kept no matter how hard you tried to delete them.

Re:

[mark-t]

If the cookies are really getting kept while the software somehow tries to mask their existence from the end user, sniffing the local port with a tool like wireshark when connecting to a google site would still reveal it.

Re:

[Lonewolf666]

That would be a rather specific check. Which people will now make, but otherwise the cheat might have gone unnoticed for quite a while. Like backdoors in Cisco equipment. Or cheating with the exhaust gas treatment at Volkswagen.
It is also a reason to stay away from Chrome.

Re:

[khchung]

If the cookies are really getting kept while the software somehow tries to mask their existence from the end user, sniffing the local port with a tool like wireshark when connecting to a google site would still reveal it.

Not if the communication between Chrome and Google were encrypted end-to-end. You can only see a mass of meaningless bits, with the secret cookie encrypted inside.

Re:

[Ed Tice]

You will have no trouble seeing this. You can man-in-the-middle yourself fairly easily. This is done for debugging purposes all the time. It's also often done on corporate networks so that the IT folks can snoop. Yes you have to trust the certificate but that's part of the debugging process and/or the corporate infrastructure.

Re:

[theCoder]

Good luck seeing the cookie through the SSL encryption. Just imagine code like this in Chrome:

if (destHost.endsWith("google.com") &&
connection.isEncrypted() &&
connection.ssl().matchesHardCodedGooglePublicKey())
{
connection.appendCookie(secretGoogleTrackingCookie());
}

The function names are made up, but code like this would make it so that a tracking cookie would only be sent to google.com sites for encrypted (like HTTPS or SPDY) with a non-spoofed certifi

Re:

[Ed Tice]

I already posted this to a sibling comment, but here you go.

>You will have no trouble seeing this. You can man-in-the-middle yourself fairly easily. This is done for debugging purposes all the time. It's also often done on corporate networks so that the IT folks can snoop. Yes you have to trust the certificate but that's part of the debugging process and/or the corporate infrastructure.

In order to make this work the code would also have to code that checked against a hard-coded or pinned certific

Re:

[mark-t]

Good luck seeing the cookie through the SSL encryption.

Evidently you were unaware that SSL encryption can be fairly easily decrypted by tools such as wireshark when you are doing it on the same machine that is doing the encryption. Anything that Google might try to do to cover up that they are encrypting certain packets which you cannot decrypt locally will be fairly obvious to someone who is checking this.

Re:

[theCoder]

Interesting [wireshark.org]. I had no idea that most browsers would output the keys used if the SSLKEYLOGFILE environment variable was set. I'm going to have to watch out for that one in the future! Though, since this does seem to require the help of the browser, and the goal is to try to see if there is secret code in that browser that would sometimes send extra cookie information, that's just another thing for the secret code to check for. Though some other variations described on page talk about extracting the keys

Re:

[mark-t]

Even if the code in the browser were to check for this and not put the necessary key in the ssl log file when talking to google sites, this would be obvious to someone investigating locally because there would be encrypted packets that they cannot decrypt with the key(s) that they have.

Re:

[jargonburn]

Oddly enough, I can kind of believe it is a bug. I mean, you're already using Chrome and (presumably) the Google sites in question...do you think they actually need those cookies?
*Shrug*

Re:

[mark-t]

I would suggest that your inability to imagine how such a thing could have been accidental on Google's part speaks more to the limits of your own imagination than it does to any objectively wrong intent by Google.

Hanlon's razor may well apply here.

Re:Bug? I think not.

[MrL0G1C]

You're missing the point that you generally expect a browser to treat all sites the same and not write hard-coded code in the browser to treat different urls differently. The probability here is that Google wrote the code to check if the site is theirs and then skip it when deleting cookies. The likelihood of this happening any other way is very remote.

If you're using Chrome then either you're a newbie or you don't care about an advertising giant tracking you and building up a big database of data metrics about you.

Re:

[markdavis]

>"you generally expect a browser to treat all sites the same and not write hard-coded code in the browser to treat different urls differently. The probability here is that Google wrote the code to check if the site is theirs and then skip it when deleting cookies. The likelihood of this happening any other way is very remote."

+1, that was exactly my point. I don't see how it is possible to have code that "accidentally" does not delete something so specific when the code should simply delete everything.

I

Re:

[mark-t]

I don't see how it is possible to have code that "accidentally" does not delete something so specific when the code should simply delete everything.

I'm afraid that admission speaks more loudly to your own lack of imagination than it necessarily does to some dark intent on Google's part.

Perhaps it is because code that might have admittedly been intentionally put in there for some specific and perhaps entirely legitimate reason during testing and development was simply accidentally forgot about and left in

Re:

[ISoldat53]

I wonder if the DOJ is looking into this. Seems to mesh well with an anti-trust investigation.

Yes, master

[Uldis Segliņš]

Of course. We believe. There is no lie. Google is not evil. Two biggest webaddresses owned by the browsermaker got completely accidentally treated preferentially by pure chance. That is like dropping a bunch of nuts and bolts on the floor and getting a completely assembled car engine, accidentally.

Re:

[mark-t]

People are quick to jump down Google's throat over this, and TBH, I can perfectly understand why.... but honestly, I think that this is a reflexive reaction that is only indicative of a lack of imagination, and underestimating just how large the capacity for human error actually is.

If you would like to hear a explanation for how this could possibly be accidental, consider the idea that not deleting google's data was actually part of something that was meant to test a specific facility during the developm

Re:

[munch117]

I'm usually the first to reach for Hanlon's razor, and you know, even here I'll give google the benefit of the doubt in that this could be an accidental bug.

But that doesn't get them off the hook: The only way such a bug can exist is because there's code in there that special-cases these google domains. Maybe in a subtle way: It could be a special feature that any site could in theory use, but in practice is only used by google domains, and no-one else knows about it. In that code there's a site-data bug

Re:

[mark-t]

But that doesn't get them off the hook: The only way such a bug can exist is because there's code in there that special-cases these google domains

Almost certainly, but my point is that it's certainly possible that this code was still never intended to be part of the release, and therefore technically still an accident. How do you figure that the special case code will still be there if they go and correct it?

Re:

[munch117]

Because I expect that the reason it affects only these two domains, is not because they are specifically mentioned in the site data delete procedure, but due to a subtle interaction of complex features.

If I'm wrong, and they literally wrote:

if(site!="google.com") delete_site_data(site)

then sure, fixing the bug would end any special treatment, but that kind of code would stand out as a sore thumb in any kind of code review.

Re:

[mark-t]

I imagine that it may be a little more complex than just the one line... but even so, at the time of review such code might have looked entirely innocuous for something that was originally expected to be a debugging aid, with the expectation that the code would be removed later, and then everyone who happened to know that it was there forgot it did this when they made the release branch, until someone pointed it out.

I am not eliminating the possibility that Google was really doing this in the hopes they

Re:

[WierdUncle]

I'm usually the first to reach for Hanlon's razor, and you know, even here I'll give google the benefit of the doubt in that this could be an accidental bug.

This is pure speculation on my part, but I think it possible that Google are using "in the cloud" stuff to provide browser features, and the cloud stuff is run by Google, of course. My guess is that these browser features bypass the usual cookie management applied to other sites. However, even if my charitable interpretations are correct, it does not let Google off the hook, because this covert activity would constitute some kind of hidden "phone home".

seems to me

[renegade600]

Google has been deceitful since day one. Anyone remember their toolbar where you were supposed to be able to opt out back in the beginning. I have never trusted them. The only time I use chrome is if my current browser is having problems.

Chromium too?

[OneHundredAndTen]

Or is this just part of the packaging that Google does to release Chrome?

I've experienced this personally.

[dmitch33]

I have experienced this first hand. I maintain a website for my brother's band. They put some written music onto a webpage that wasn't properly secured (my bad) but had no link to it. Either you knew the name of the page or you didn't get there. Well, as Google uses its DNS server to scrape and published the findings in their search engine. It has been over 5 years and Google still refuses to remove the copyrighted material!! As no intelligent or lawful human is involved in this process it is clear to see why Google is EVIL!!

Re:

[Known Nutter]

DNS doesn't work that way my dude. An entry into your URL bar for example.com/supersecretlyrics.php will result in a DNS query for example.com only.

I wouldn't doubt for a minute, however, that the link was harvested from an @gmail message sent by you to your brother's bandmates, for example. Or harvested in Android... or any number of other things besides DNS.

Google Evil

[Find Available Name]

I don't mean to seem critical here, and I mean this in the best way possible, but Google is the very face of evil in today's world.

An old story

[alternative_right]

Silicon Valley, the shopkeepers who became warlords and thought they could be kings, only to find out that reality is far more complex than their machines? Indeed. Of course they have become manipulative, more than Microsoft or IBM before it, simply because they are one-hit wonders who now see their business model failing.

Firefox

[aRTeeNLCH]

Firefox may not be the light it once was, but still it won't have this type of problem...