Chrome Browser Security Flaw Reveals Plain Text Passwords

Chrome Browser Security Flaw Reveals Plain Text Passwords

The Guardian is reporting that a serious security flaw in Google’s Chrome browser allows anyone with access to a computer to view all of a user’s saved login passwords without providing any form of authentication.

Password-game

The Guardian, via 9to5Mac:

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Passwords can be accessed by clicking the menu icon (top-right corner of the window), clicking “Settings”, then clicking “Show advanced settings” at the bottom of the screen, then click “Manage saved passwords” in the “Passwords and forms” section.

Oddly enough, when informed of the flaw, the head of Google’s Chrome developer team, Justin Schuh, said that while Google is aware of the weakness, it has no plans to fix it.

Schuh wrote on Hacker News that “We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything.”

While it is true that if you left almost any browser open and another party gained access to it they would be able to login to websites via the stored passwords, in this instance, the snoop could also take note of your login info and use it on another computer or device.

Most browsers have a similar password reveal option, but require a master password before displaying any passwords.

  1. gxavier6 says:

    But aren’t passwords also visable in Safari?

    1. Chris Hauk Chris Hauk says:

      Safari requires you to enter your OS X password before displaying them.

      1. gxavier6 says:

        ah yeah your right. just double checked. I should’ve known that, I consider myself an Apple guy. 🙁

        1. Chris Hauk Chris Hauk says:

          I had to check and make sure before replying. 🙂

  2. modkaffes says:

    Wherever autocomplete is activated, revealing the password is just a matter of changing it’s type from password to text (in developer tools). Plus this is hardly news. This “feature” has been around forever.

    1. gxavier6 says:

      ok yeah but that doesn’t make it right. Google should of disabled it. Or a prompt for your password in like in Safari. Although I hate Safari because its soo slow, I since yesterday have started using Safari a little more. Google should really change that asap.

      1. modkaffes says:

        I agree that it should be a opt-in choice.

        Nevertheless I find Safari a bit sluggish regarding this issue, because I never understood its “Always Allow” button.

        Of course, an all around solution would be to disable the default Chrome password manager altogether and use a third-party tool like 1password or Keepass.

        1. gxavier6 says:

          Yeah, i guess the always allow button is great if one is certain they are the only ones using the computer. Well if Google would just require a chain password to access that info they should be good. Its a big deal and a big mess. I hope for their sake they can fix it.

        2. Chris Hauk Chris Hauk says:

          I agree, I use 1Password on both OS X and iOS, and would HIGHLY recommend it to anyone!

Leave a Reply

Your email address will not be published. Required fields are marked *