Chrome BrowserSignIn Bypass

Published December 14, 2020 / 484 words / ~3 minutes to read

Bypass force sign in for fun and profit! Managing Google Chrome can be a bear sometimes. With dozens of policies to comb through for any given need, it’s a platform unto itself. Instead of managing settings at a machine level through a MDM profile (on Mac), it’s sometime easier to force sign into the browser and then manage policies through Google Admin. A common workflow is for the user to open Google Chrome and then be prompted to sign into their organization’s Google Workspace domain account.

Admins can do this with two policies - BrowserSignIn and RestrictSigninToPattern. The first forces browser sign in. A user can’t use Chrome at all without first signing in.

Chrome sign in window

The second defines a regular expression used to determine which Google accounts can be used to sign into the browser. A common pattern is .@mydomain.com where only accounts ending in @mydomain.com would be able to sign in. If RestrictSigninToPattern is set to .@mydomain.com and I try to sign in with throwaway7201234@gmail.com I get the message below.

Chrome can't sign in

Sign in fails and I can’t continue. The policy is working as expected. I can’t continue until I sign into a Google Workspace managed account where all the appropriate policies would be enforced from Google Admin. Not only do I want that, if I’m an admin I usually need that. I don’t want people using Chrome without our enterprise policies set, and enforcing them through sign in means I can have one predictable set of policies across all platforms - Mac, PC, and Chrome OS.

Playing around with Chrome policies recently, I found it trivial to bypass force sign in.

  1. Open any text editor where you can follow a link. Visual Studio Code for example. Visual Studio code follow a link
  2. Click the link to open the URL.
  3. Chrome will open the URL in a new guest profile.
Chrome guest profile

Without having ever signed in, I can browse around to any site I want with that newly created guest profile. No enterprise policies enforced, free to do whatever I want. The screenshot is a little small, but here Chrome BrowserSignIn set to 2 for “Force users to sign-in to use the browser” and RestrictSigninToPattern to my Google workspace domain. As an added bonus, BrowserGuestModeEnabled is set to false which should mean “If this policy is set to false, Google Chrome will not allow guest profiles to be started.” Not only is the force sign policy being bypassed, another policy specifically meant to stop guest browsing isn’t working either.

Google support pointed me to Chromium bug 1120255, but that’s not quite what I’m seeing here. I’ve started bug 1158615. Go there and make a comment if this issue impacts you and your organization. As of writing this I don’t believe there’s any mitigation available to stop this. If you depend on policies coming down after sign in, let Google know about it and hopefully we’ll see a solution in a future Chrome release.

#chrome