Bloomberg/Getty Images
Google says it has fixed a major Chrome OS bug that has banned users from their devices. Google’s bulletin says that Chrome OS version 91.0.4472.165, which was briefly available this week, will not allow users to sign in to their devices, effectively blocking them.
Chrome OS automatically downloads updates and switches to the new version after a reboot, so users who restart their devices suddenly lock them out. The go-to advice while this broken update is available is not to reboot.
The bulletin says a new build, version 91.0.4472.167, is now being rolled out to fix the issue, but it may take “several days” to get everyone there. Users affected by the bad update can wait for the device to be updated again or ‘powerwash’ their device (which means wiping all local data) to sign in. Chrome OS is primarily cloud-based, so if you’re not doing something advanced like running Linux apps, this solution will be less of a hassle than on other operating systems. Still, some users complain about lost data.
ChromeOS is open source, so we can get some more details on the fix thanks to Android Police looking for a Reddit comment from user elitist_ferret. The problem apparently comes down to a one-character typo. Google flipped a conditional statement into Chrome OS’s crypto house VaultKeyset, the part of the operating system that contains user encryption keys. The line should read “if (key_data_.has_value() && !key_data_->label().empty()) {” but instead of “&&”—the C++ version of the “AND” operator—used the bad update a single ampersand, breaking the second half of the conditional statement.
It seems that because of this bug, Chrome OS never properly compared user passwords to stored keys, so even correct passwords would return with a message saying, “Sorry, your password could not be verified.”
The whole selling point of Chrome OS is that it’s reliable and unbreakable, and failed updates like this hurt the operating system. It’s not clear how such an obvious issue like this made it to the stable release channel. Chrome OS has three testing channels that changes should go through — the “canary,” “dev,” and “beta” channels — with weeks of testing between releases. Somehow this bug escaped that whole process. This issue also seems like something a unit test or automated testing could have caught – not being able to login is pretty obvious.
The flaw marks the second defective Chrome OS update released this month. An update in early July caused a spike in CPU usage on some models, causing them to slow down.