Chrome Sync Turned Into a Surveillance Tool Without a Single Hack

16.07.2026 3 minutes Author: Newsman

Chrome Sync, Google’s feature for syncing bookmarks, browsing history, and passwords across devices, is increasingly being abused for covert surveillance. It requires no hacking skills, malware, or spyware – just brief physical access to the victim’s phone.

Researchers at Certo warn that incidents like these are becoming more common. According to the company, cyberstalkers are increasingly abandoning sophisticated attack methods in favor of exploiting legitimate features that are already available on a victim’s device.

As an example, the researchers describe the case of a woman who waited until her abusive partner had fallen asleep before searching for a family lawyer and visiting a domestic violence support website. She closed the page afterward, but a few days later her partner unexpectedly brought up the website in conversation. He knew exactly what she had visited and when.

The reason became clear later. Weeks earlier, he had briefly gained access to her phone, opened Chrome, signed in with his own Google account, and enabled Chrome Sync.

“From that moment on, every site she visited was being copied straight to his account, viewable from any device, anywhere in the world,” the researchers explained.

According to Certo, this technique is becoming more common because modern smartphones are much harder to compromise. Regular security updates, multi-factor authentication, and other built-in protections have made traditional attacks more difficult and risky.

“As a result, we’re increasingly seeing abusers turn to something far simpler: legitimate apps already sitting on their victim’s phone. No installation, no suspicious permissions, no telltale battery drain – just a quiet misuse of a feature the victim never knew existed.”

The method itself is remarkably simple. Once someone signs into a Google account in Chrome, the browser can automatically sync browsing history, open tabs, bookmarks, autofill data, and, if enabled, saved passwords.

An attacker needs less than a minute to open Chrome on the victim’s phone, add a Google account they control, and enable synchronization. From that point on, the victim’s browsing history is silently copied to the attacker’s account and can be accessed from anywhere with an internet connection.

“Because the attacker signs in with an account they already control, they never need to know the victim’s Google password.”

Researchers also point to another serious issue. Since it is the attacker’s account, not the victim’s, that is newly added, any Google security alerts about a new sign-in are sent only to the attacker. The victim receives no notification that another account has been connected to Chrome on their device.

The threat is not limited to smartphones. The same sign-in and synchronization mechanism works in Chrome for Windows and macOS. With Chrome holding nearly 70% of the global browser market as of June 2026, the technique could potentially affect millions of users.

The risk becomes even greater if the victim later saves new passwords in Chrome. Those credentials may also become available to the attacker, turning browser-history monitoring into a much broader account takeover threat.

Researchers recommend regularly checking which Google accounts are signed into Chrome across all your devices. If you notice an unfamiliar account, remove it immediately and change the passwords for important services, especially if they have ever been saved in Chrome.

They also advise using Incognito mode for sensitive browsing whenever appropriate and protecting all devices with a strong PIN or biometric authentication, making it much harder for someone to gain even brief physical access.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Found an error?
If you find an error, take a screenshot and send it to the bot.