69% of Browsers Worldwide Vulnerable: How Chrome Sync Enables Stealth Surveillance Without Malware
Google Chrome’s ordinary sync feature can be covertly exploited to transform the browser into a powerful surveillance instrument. Attackers require neither malware nor advanced technical skills—only a few minutes of physical access to the target device to sign in with their own Google account and enable synchronization.
Specialists at Certo identified the technique after investigating multiple reports of digital stalking by intimate partners. In one documented case, a woman researching family lawyers and visiting websites that assist victims of domestic abuse discovered that her partner was able to recount the exact pages she had opened and the precise times she had visited them—despite her using only her personal phone and noticing no new applications.
The partner had briefly obtained the device, opened Chrome, signed in under his own Google credentials, and activated sync. From that moment, the victim’s browsing history began automatically uploading to his profile, which he could access from any other phone or computer anywhere in the world. No password belonging to the victim was needed, and login notifications were delivered exclusively to the attacker’s account rather than the device owner.
The risk extends far beyond visited websites. Chrome can also synchronize bookmarks, open tabs, autofill information, and stored passwords. If a victim later saves credentials for any service while the attacker’s profile remains active, those passwords become visible to the attacker, potentially enabling further account takeovers.
Chrome displays no prominent alert when a new profile is added or when synchronization begins. Many users never inspect which Google account is currently linked to the browser. According to StatCounter, Chrome commanded 69.65% of the global browser market in June 2026, meaning the simple attack vector could affect millions of people. The same method functions on smartphones as well as on Windows and macOS computers.
Certo has urged Google to introduce temporary notifications whenever a new account is connected and to display the currently synced profile persistently. Such measures would allow device owners to detect unauthorized access quickly without disrupting normal browser operation.
Users can verify the connected profile through browser settings. On iPhone and iPad, the account address appears at the top of the settings section. On Android, Windows, and macOS, it is visible after clicking the profile icon. Any unfamiliar account should be removed immediately, and passwords for important services—especially those saved in Chrome—should be changed.
For sensitive searches, the Incognito mode can be used, as visited pages are not added to the synchronized history. Devices should be protected with strong passcodes and biometric authentication, and users should review whether additional fingerprints or facial-recognition data have been enrolled by third parties.