I've recently installed Opera browser in unattended mode (using Chocolatey: choco install opera). When I opened it for the first time, Opera had all my bookmarks imported from Chrome (unwanted, but OK).

Then I clicked on GMail in the Opera bookmark bar, and to my huge surprise, it loaded my Gmail account without asking me to authenticate first. I was able to read my email as though I was still in Chrome.

Apparently, Opera has somehow imported my Google account OAuth2 tokens from my Chrome profile under "%LOCALAPPDATA%\Google\Chrome\User Data\..." and it's able to make a use of them, perhaps because it also uses Chromium as its rendering engine.

IMO, this is a problem with how Chrome protects its local user profile data. To me, it's both undesirable and scary. I would at least expect Chrome to use something like Windows Data Protection API (DAPI) to encrypt its sensitive data.

Is there any way I can prevent other programs (like Opera) form poking their noses into my Chrome local profile, besides by not installing them?

Updated, I reported this to Chrome team, and they have dismissed the issue for the following reason: Why aren't physically-local attacks in Chrome’s threat model?

Ironically, remedies like PKCE have been put in place to protect access tokens from malicious local actors in the OAuth2 authorization flow. I struggle to understand how existence of PKCE sides with Chrome's stance on local attacks.

I personally don't think the mitigation of that attack vector should be completely ignored. From a user prospective, as soon as I've provided my password to Chrome for encrypted data sync'ing, I'd expect it to be stored using the underlying OS API for storing secrets.

DPAPI, being that API for Windows, can't fully protect applications from each other, but it does rather a good job mitigating that. It presets the user with a standard OS dialog, requesting to authorize the access:

DPAPI prompt

This screenshot is from running an example from the online DPAPI docs. Note how the system UI shows the location of the app trying to access the secret, so it's my choice as an informed user whether to grant the access or not.

Of course, a malware can still spoof that UI, but this is not something that a legit, code-signed and generally trusted software like Opera would do. If Chrome used DPAPI, Opera would have to use it too, for their import-from-Chrome feature to work. Invoked by Opera, the DPAPI UI would prompt me to authorize the access to Chrome's local data, and I would have an option to reject it.

Updated, there's a sign that Chromium team may address this issue in the future.

  • Does installing Opera from its official installer also imports Chrome's auth tokens?
    – Biswapriyo
    Commented Oct 8, 2019 at 5:17
  • @Biswapriyo, yes it does, all checkboxes are ticked by default: imgur.com/mAjXQx2.
    – noseratio
    Commented Oct 8, 2019 at 5:37
  • Here's the full installer link at the time of posting this: get.geo.opera.com/pub/opera/desktop/63.0.3368.71/win/…
    – noseratio
    Commented Oct 8, 2019 at 5:39
  • 1
    Ideas : (1) Run Chrome under a another user account and only give this account permission to access the Chrome folder, (2) Stash away the Chrome folder in a safe place, for example a sandbox of Sandboxie and run Chrome via Sandboxie.
    – harrymc
    Commented Oct 10, 2019 at 14:25
  • 1
    Sandboxie is a security product for isolating suspicious programs, redirecting their file and registry modifications into a sandbox area and not into the real system. A product that discovers that your Chrome folder is in C:\path will still be blocked because no such folder will exist inside the "normal" file system, but only in the "shadow" file system.
    – harrymc
    Commented Oct 10, 2019 at 19:57


