Skip to main content
CybersecurityHacking

Stalkers Exploit Chrome's Sync Feature for Surveillance

Smartphone with Chrome app open on a neutral surface, showing a Google sign-in page and blurred tabs.

“Emma had been careful to only ever use her own device, and she hadn’t noticed any new apps appear on her phone,” wrote Certo co‑founder Russell Kent‑Payne.

Certo Software’s account and the stalking scenario

Security researcher Certo Software published a blog post describing how an abuser can convert a convenience feature in Google Chrome into a surveillance tool. The company used a pseudonymous victim, “Emma,” to illustrate the method: an attacker gains a few minutes of unattended access to the victim’s phone, opens the Chrome app, signs it into the attacker’s Google account, and enables Chrome sync. From that moment, Certo reported, “every site she visited was being copied straight to his account, viewable from any device, anywhere in the world.” The victim did not see new apps installed and remained unaware of the intrusion until the abuser referenced private searches two days later.

How Chrome’s sync feature is being repurposed for spying

Certo explained that Chrome’s sync capability is designed for convenience: “signing into Chrome on one device makes it easier to do so on other devices, too.” That same convenience, the researchers say, allows a remote account holder to receive copies of browsing history and, in some cases, access stored passwords if sync is turned on. The operation requires no additional software installation, no unusual permissions, and, according to Certo, no telltale battery drain—making it stealthy in ways traditional stalkerware is not.

Why abusers are shifting to legitimate apps, per Certo

In Certo’s assessment, the rise of this technique is linked to broader changes in mobile security. “Modern smartphones are harder to compromise than ever,” Kent‑Payne wrote. Certo pointed to factors such as regular security updates, stricter app store rules, and on‑device threat detection as making classic spyware a “much riskier bet” for cyberstalkers. As a consequence, the firm said, “we’re increasingly seeing abusers turn to something far simpler: the legitimate apps already sitting on their victim’s phone.”

Suggested changes Google could make — and Google’s silence

Certo proposed specific mitigations that would make this class of misuse harder to carry out without alerting victims. Among the suggestions were providing a temporary notification whenever a new account is added or sync is turned on, and offering a persistent marker that indicates when sync is active and which account it’s syncing to. Certo said it reached out to Google for comment; the company “did not respond to multiple requests for comment” about the findings.

What this means for victims, the Electronic Frontier Foundation, and Google

  • Victims and the general public: The technique requires only “a few unattended minutes with her phone” and leaves no new apps to detect, increasing the risk that people will be monitored without visible indicators on their device.
  • The Electronic Frontier Foundation: Eva Galperin, director of cybersecurity at the EFF, posted on the Bluesky social media app that Certo’s research is “an important reminder that tech‑enabled abuse isn’t just limited to stalkerware,” underscoring advocacy concerns about non‑malware modes of surveillance.
  • Google and browser developers: Certo’s recommended mitigations — temporary notifications and a regular visual marker showing which account Chrome is syncing to — are concrete, technical changes that, if implemented, would directly address the mechanism described in the report.

The episode is a reminder that features intended to reduce friction can, in certain hands, become vectors for abuse. Certo frames the problem as a predictable consequence of improved smartphone defenses: when traditional spyware becomes riskier, attackers will look for lower‑risk alternatives among the tools users already rely on. With Google silent on the specific recommendations and advocates sounding alarms publicly, the immediate question is whether Chrome’s visible indicators or account notifications will be changed to give device owners a clearer, persistent signal when their browsing is being replicated elsewhere.

Read the original report: https://cyberscoop.com/google-chrome-sync-cyberstalking-exploit/