Google has come under fire this week for the way that its Chrome browser handles password storage. The criticism comes in light of some new findings posted by software developer Elliott Kember, who says he’s discovered a flaw in the way Chrome handles passwords.
Apparently, in the browser’s settings panel there’s a section that lists all of the websites in which a user has a stored password for, and their corresponding passwords. The data is hidden initially, but the passwords can be exposed with a simple click of the mouse…
While not everyone may agree, Kember believes that this represents a flaw in Chrome’s password storage, and thus in the browser’s overall security:
“In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay. “
Want to see it for yourself? Chrome users visit chrome://settings/passwords
But as AppleInsider notes, other browsers are guilty of this behavior. Mozilla’s Firefox browser does the same thing without requiring verification, asking the user “Are you sure you want to show your passwords?” Safari, however, asks for the logged-in user’s password.
As you’d expect, Google doesn’t think it’s doing anything wrong here. Responding to the concerns, Chrome’s security tech lead Justin Schuh posted the following to Hacker News:
“I’m the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.”
Admittedly, someone has to be logged into their Google account in order for their passwords to be viewed. And they’re only vulnerable on that device or machine. But I wonder how many people would continue to store their passwords on Chrome after learning this.
What’s your take on all of this? Big deal, or not so much?