Google Chrome gets automatic single sign-on, brings security risks

Google really wants you to use its web apps, and it really, really wants you to use Chrome. That's why the company works so hard on making sure its browser and apps play nice together -- and more nicely than Firefox, Internet Explorer, and Opera.

That's no surprise since Chrome is fast becoming the preferred gateway to all things Google in the cloud. Just last week, offline access to Gmail returned (but only for Chrome!) -- and now, further streamlining your access to the cloud, Chrome has now added an auto-login option to its experimental about:flags page.

With "pre- and auto-login" enabled, Chrome stores authentication details for the Google account you've set up in your sync options as a cookie. That cookie enables single sign-on at any Google Account-enabled web page (like Gmail, Google Docs, Google Reader, Picasa, etc.). No more re-entering your password on Gmail after you've logged in on Google Reader: just load the page and watch it auto-refresh.

There's also mention of a Chrome infobar (like those that appear to translate or block scripts) being displayed when a compatible page is detected, hinting that Chrome's auto-login might be available to third-party sites across the web, similar to what Mozilla has been working on with BrowserID.

Right now, auto-login is hidden behind a flag. That's a good thing, because there's a security issue that needs to be sorted out before it's made a default.

While the option to automatically sign in to Google apps is a convenience, the setting would also allow anyone that can double-click the Chrome icon on your desktop to access all your Google data without knowing your password. Since Chrome currently lacks a master password option, the only in-browser solution would be to disconnect your account on chrome://settings/personal(Opens in a new window). Your operating system already offers a more logical solution, of course: automatically password-locking your workstation when it's idle.