Most Visited Chrome iOS

Google has come under fire this week for the way that its Chrome browser handles password storage. The criticism comes in light of some new findings posted by software developer Elliott Kember, who says he’s discovered a flaw in the way Chrome handles passwords.

Apparently, in the browser’s settings panel there’s a section that lists all of the websites in which a user has a stored password for, and their corresponding passwords. The data is hidden initially, but the passwords can be exposed with a simple click of the mouse…

While not everyone may agree, Kember believes that this represents a flaw in Chrome’s password storage, and thus in the browser’s overall security:

“In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay. “

Want to see it for yourself? Chrome users visit chrome://settings/passwords

But as AppleInsider notes, other browsers are guilty of this behavior. Mozilla’s Firefox browser does the same thing without requiring verification, asking the user “Are you sure you want to show your passwords?” Safari, however, asks for the logged-in user’s password.

As you’d expect, Google doesn’t think it’s doing anything wrong here. Responding to the concerns, Chrome’s security tech lead Justin Schuh posted the following to Hacker News:

“I’m the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.”

Admittedly, someone has to be logged into their Google account in order for their passwords to be viewed. And they’re only vulnerable on that device or machine. But I wonder how many people would continue to store their passwords on Chrome after learning this.

What’s your take on all of this? Big deal, or not so much?

  • Mohammad Ridwan

    Took this fast for Elliott Kember to find that ? It’s been there for at least 7-8 years in Mozilla Firefox… Now he’s acting like it’s a big revelation…

    It’s not a security flaw when it’s intentional.

    • Jack Wong

      I did not know this.

      Feel free to ask anyone around you and see how many people know this trick?

      I only use the browser password management for forums.

  • Linton Findlay

    this isnt anything new, has had these features for years. if someone doesnt want to save the password to the browser, theyll click i dont want to save passwords

  • This expert hacker is kind of years slow. Firefox has it for years. Chrome has it for some time. Password manager is a standard feature in these browsers and very useful too some times. I always forget my passwords, so I search it in password manager in Firefox.

    I read this news yesterday, and almost laughed.

    But Firefox has a master password feature to access it. Not sure about chrome.

  • O. Bakerman

    If someone has access to your user account on your OS he can do 1000 dirty other things than looking up your passwords in chrome.

  • Joseph

    For anyone that uses Chrome and isn’t happy about this, give MaskMe a look. Great extension.

  • EpicFacepalm

    This actually deserves a facepalm. Hackers already do this for years, and the tool is called “Stealer”. The browser has to read saved the data, it is not a hash after all. Because of this, you cannot protect it. Even if you do tons of random encryptions to it, hacker will be able to steal the data. If you use password managers, you are in the risk of Stealers, if you don’t, then you have to be careful of Keyloggers.
    What you have to do is, protecting your devices from malwares, plain and simple.

  • Gorgonphone

    i hate passwords..

  • Lol, welcome to over 5 years ago, expert. If someone untrustworthy has local access to your computer in the first place, then you’ve got bigger problems to worry about besides just your Chrome password…

    Either ways, I use LastPass instead of Chrome’s password manager.

    • Brandon Weidema

      It’s also your own damn fault if you don’t log out of Chrome lol

    • Timothy

      LastPass also displays passwords without authentication, unless they updated it since I tried it.

      • Ever since I started using it in 2011, you’ll have to enter your master password to gain access to your list of passwords…also, depending on your credential configuration for a website, it can either request your master password before filling in your credentials, or just fill in the credentials without requesting for your password (but you’ll have to have logged into the extension in the first place).

  • Timothy

    I’ve known about this for forever, and I’ve using this to exploit friends’ passwords as well. Why they’re just now complaining about this is beyond me.

    However, it is a big point I used when promoting Safari over Chrome on Mac. It’s a major way in which Safari is more secure than Chrome.

    • Yikes, such a malicious friend…

      • Timothy

        Just their Facebook passwords and stuff… 😀

  • Barnez Hilton

    how long did it take this bozo to figure out that BASIC setting that’s been there for years. I use it all the time to remember my passwords so I can log into other machines on the road.

  • Beta382

    Google is totally right about this. Even if you had a master password for your saved passwords (or you didn’t save your passwords at all), even a child could get into your accounts. I was able to get onto my brothers facebook account (as well as any other accounts he had clicked “keep me logged in” on) simply by remotely copying his cookie stash and putting it on my machine, and then opening my browser. All I needed was his password or the admin password (or I could have used physical access, because he is always logged in while away) to grab his cookies. Physical access trumps any further form of security.

    Moral of the story: Don’t use password saving services, but also don’t use the “keep me logged in” option, and for heavens sakes don’t leave yourselves logged in while you are away.

  • DarekSlaby

    Not sure why chrome is taking the heat when Firefox does the same thing.

  • ak2r

    Sorry, but this guy is so lame. I don’t why he is getting too much attention for this.