It didn’t take an exploit — it took a product decision that refuses to be skeptical.

During review of Chrome session artifacts, full Google Account access persisted through what should have been a 2FA checkpoint. No malware. No trick. session tokens accepted as gospel. All it took was a logged-out account on a turned-off computer.

Google triaged and reopened VRP #434421051 before closing it as working as intended. Translation: we wrapped a security failure in UX and called it a feature.

In lab this is convenience. In real life — shared devices, abusive homes, lost workstations — it’s a silent vector that hands access to whoever sat at the keyboard last. This is not an edge case. It’s design inertia. It’s negligence disguised as product polish.

Google has the nerve to call this “intended.” Fine. Let’s call it what it is: a policy that weaponizes convenience.

Chrome’s session model keeps trusting itself — even when it should doubt. That trust model turns 2FA into theater: everybody watches while the door is wide open.

People who lose access, evidence, or safety because of this won’t care about your product roadmap. They’ll care that “working as intended” sounded like an excuse. If you work on auth at a vendor: stop dressing up defaults as benevolent design. Design choices kill real people when threat models are ignored.

Congrats, Google — you made 2FA a sticker. A placebo you shipped with confidence and called a feature. But at least Chromes a gentleman at the door, right?