Google pushed a typo to a production character, shattering Chrome OS devices

Google claims to have fixed a major Chrome OS bug that prevented users from accessing their devices. Google’s bulletin says that Chrome OS version 91.0.4472.165, which was briefly released this week, is preventing users from signing in to their devices, essentially blocking them.

Chrome OS automatically downloads updates and switches to the new version after a restart, so users who restart their devices are suddenly locked out. The best advice while this broken update is available is to not restart.

The bulletin states that a new version, version 91.0.4472.167, is being rolled out to resolve the issue, but it could take “a few days” to reach everyone. Users affected by the bad update can either wait for the device to update again or “powerwash” their device, i.e. wipe all local data, to connect. Chrome OS is mostly cloud-based, so if you don’t do anything advanced like running Linux apps, this solution has fewer downsides than on other operating systems. Still, some users complain about data loss.

ChromeOS is open source, so we can get a bit more detail on the fix thanks to Android Police tracking down a Reddit comment from user elitist_ferret. The problem apparently boils down to a single character typo. Google missed a conditional statement in Chrome OS Cryptohome VaultKeyset, the part of the operating system that contains the user’s encryption keys. The line should say “if (key_data_.has_value () &&! Key_data _-> label (). Empty ()) {” but instead of “&&” – the C ++ version of the “AND” operator, the wrong update day used a single ampersand, breaking the second half of the conditional statement.

It seems that because of this error, Chrome OS never correctly verified users’ passwords against stored keys.

The whole selling point of Chrome OS is that it’s reliable and unbreakable, and sloppy updates like this harm the operating system. It’s unclear how such an obvious and spectacular issue like this made its way into the stable release channel. Chrome OS has three testing channels that changes are supposed to go through – the “canary,” “dev”, and “beta” channels – with weeks of testing between releases. Somehow this bug escaped this whole process. This issue also appears to be something that a unit test or automated test might have detected – not being able to connect is pretty obvious.

The error marks the second flawed Chrome OS update released this month. An update in early July increased CPU usage on some models, slowing them down at a breakneck pace.