Cyberstalkers Are Exploiting Chrome Sync to Spy on Victims

hn_acker1 pts0 comments

Cyberstalkers Are Exploiting Chrome Sync to Spy on Victims | Certo Software

Home<br>Insights<br>Expertise<br>Cyberstalkers Are Exploiting Chrome Sync to Spy on Victims

Emma* (not her real name) thought she’d finally found a way out. Late one night, while her partner was asleep, she spent twenty minutes searching for a family lawyer and reading through a domestic abuse support website, careful to close the tabs afterwards.

Two days later, her partner brought it up. He knew which website she’d visited and exactly when.

Emma had been careful to only ever use her own device, and she hadn’t noticed any new apps appear on her phone. What she didn’t know was that weeks earlier, during a few unattended minutes with her phone, he had opened the Chrome app and quietly signed it into a Google account of his own.

From that moment on, every site she visited was being copied straight to his account, viewable from any device, anywhere in the world.

Certo has received a growing number of reports describing exactly this scenario. Our research team investigated, and what we found is a strikingly simple technique that requires no hacking skill, no malware, and no spyware app of any kind — just a few unattended minutes with someone’s phone and a feature that Google built for convenience.

A Shift Away From Spyware

Modern smartphones are harder to compromise than ever. Regular security updates, stricter app store rules, and on-device threat detection have made traditional spyware a much riskier bet for a cyberstalker than it used to be.

As a result, we’re increasingly seeing abusers turn to something far simpler: the legitimate apps already sitting on their victim’s phone. No installation, no suspicious permissions, no telltale battery drain — just a quiet misuse of a feature the victim never knew existed.

The Chrome sync technique is one of the clearest examples of this shift yet, and it’s arguably more concerning than most because of just how popular Chrome is.

Chrome Sync: Built for Convenience, Not Scrutiny

Chrome’s sync feature exists to make life easier. Sign in with a Google account, and Chrome will keep your bookmarks, open tabs, browsing history, autofill data, and saved passwords in step across every device you use — your phone, tablet, laptop, whatever you’re signed into.

It’s a genuinely useful feature. It’s also, as we discovered, remarkably easy to turn into a surveillance tool.

Fig 1. Synced data on a Google Account

How the Attack Works

The attacker gets brief physical access to the victim’s phone . This is the only hands-on step required, and it can take less than a minute.

They open the Chrome app and add a Google account under their control — either their own personal account or one created specifically for this purpose.

They make sure sync is switched on for that account, so browsing history (and, by default, much more) is set to sync automatically.

The victim carries on using their phone as normal . From this point, their browsing activity is copied to the attacker’s Google account in the background.

The attacker opens the same Google account on their own device and reviews the victim’s browsing history whenever they choose, from anywhere with an internet connection.

Because the attacker signs in with an account they already control, they never need to know the victim’s Google password. And because it’s the attacker’s account that’s new — not the victim’s — any "new sign-in" security alert Google sends goes straight to the attacker’s inbox, not the victim’s.

Fig 2. Browsing a website in Chrome (left) and viewing that browsing history on another device (right).

A Threat at Scale

Chrome isn’t a niche browser. According to StatCounter’s Global Stats, Chrome held 69.65% of the worldwide browser market share as of June 2026 — comfortably ahead of every other browser combined. It’s the default browser on most Android phones and one of the most-downloaded apps on iPhone.

That scale is what makes this technique worth paying attention to. A method that works on a browser used by roughly seven in ten people is something that has the potential to affect millions worldwide.

Crucially, this isn’t limited to mobile. The same sign-in-and-sync mechanism works identically on Chrome for Windows and Mac, meaning the technique isn’t confined to phones at all — an abuser only needs brief access to any device the victim uses, on any platform.

Why This Goes Beyond Browsing History

Our research found several features of this technique that make it particularly dangerous, especially in a domestic abuse context:

There is no warning inside Chrome . Unlike some account-security features on other platforms, there is no pop-up, badge, or notification in the Chrome app to tell a victim that a new account has been signed in or that sync has been switched on.

Many people don’t realize Chrome is signed in at all . A large proportion of users browse without ever adding an account, so a stalker adding one is a change...

chrome account sync victim google device

Related Articles