Chrome Browser Security Flaw Reveals Plain Text Passwords

Chrome Browser Security Flaw Reveals Plain Text Passwords

The Guardian is reporting that a serious security flaw in Google’s Chrome browser allows anyone with access to a computer to view all of a user’s saved login passwords without providing any form of authentication.


The Guardian, via 9to5Mac:

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Passwords can be accessed by clicking the menu icon (top-right corner of the window), clicking “Settings”, then clicking “Show advanced settings” at the bottom of the screen, then click “Manage saved passwords” in the “Passwords and forms” section.

Oddly enough, when informed of the flaw, the head of Google’s Chrome developer team, Justin Schuh, said that while Google is aware of the weakness, it has no plans to fix it.

Schuh wrote on Hacker News that “We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything.”

While it is true that if you left almost any browser open and another party gained access to it they would be able to login to websites via the stored passwords, in this instance, the snoop could also take note of your login info and use it on another computer or device.

Most browsers have a similar password reveal option, but require a master password before displaying any passwords.

  1. gxavier6 says:

    But aren’t passwords also visable in Safari?

    1. Chris Hauk Chris Hauk says:

      Safari requires you to enter your OS X password before displaying them.

      1. gxavier6 says:

        ah yeah your right. just double checked. I should’ve known that, I consider myself an Apple guy. 🙁

        1. Chris Hauk Chris Hauk says:

          I had to check and make sure before replying. 🙂

  2. modkaffes says:

    Wherever autocomplete is activated, revealing the password is just a matter of changing it’s type from password to text (in developer tools). Plus this is hardly news. This “feature” has been around forever.

    1. gxavier6 says:

      ok yeah but that doesn’t make it right. Google should of disabled it. Or a prompt for your password in like in Safari. Although I hate Safari because its soo slow, I since yesterday have started using Safari a little more. Google should really change that asap.

      1. modkaffes says:

        I agree that it should be a opt-in choice.

        Nevertheless I find Safari a bit sluggish regarding this issue, because I never understood its “Always Allow” button.

        Of course, an all around solution would be to disable the default Chrome password manager altogether and use a third-party tool like 1password or Keepass.

        1. gxavier6 says:

          Yeah, i guess the always allow button is great if one is certain they are the only ones using the computer. Well if Google would just require a chain password to access that info they should be good. Its a big deal and a big mess. I hope for their sake they can fix it.

        2. Chris Hauk Chris Hauk says:

          I agree, I use 1Password on both OS X and iOS, and would HIGHLY recommend it to anyone!

  3. 965740 95497Im not certain exactly why but this web web site is loading extremely slow for me. Is anyone else having this concern or is it a issue on my finish? Ill check back later and see if the issue still exists. 685935

  4. 608478 463856Giving you the best News is very significantly imptortant to us. 850900

  5. 494254 907678Spot lets start work on this write-up, I truly feel this fabulous website needs a terrific deal a lot more consideration. Ill apt to be once again to learn far much more, appreciate your that info. 595357

  6. 484063 110542I was examining some of your content material on this internet website and I believe this website is rattling instructive! Keep putting up. 575112

  7. 896585 447861Most suitable boyfriend speeches, or else toasts. are almost always transported eventually by way of the entire wedding party and are still required to be really intriguing, amusing and even enlightening together. greatest mans speech 656599

Leave a Reply

Your email address will not be published.