Google Chrome security flaw allows access to users’ passwords

7 Aug, 2013 15:00 / Updated 11 years ago

A software developer has discovered a critical security flaw in the highly popular Google Chrome browser that could put the privacy of potentially millions of users at risk.

Chrome is among the most widely used browsers on the Web, but security researchers are now warning that it’s far from safe. Developer Elliot Kember from New Zealand discovered that anyone with physical access to a computer running Chrome can see any password stored in the browser without having to bypass a single security barrier.

When Chrome users type in a password — say, when checking their email or logging onto Twitter — the browser provides an option where that keyphrase can be remembered for future use. That master list of log-ins isn’t protected itself, however, meaning anyone with access to someone else’s computer can quickly pull up a list of plain-text passwords and essentially have unfettered access to an array of accounts.

To try it yourself, navigate to chrome://settings/passwords in Google’s browser and see if a password is needed to see what’s stored (hint: it’s not).

On his blog, Kember says Chrone is employing an “insane password security strategy.” Sir Tim Berners-Lee, the inventor of the World Wide Web, tweeted that the exploit allows anyone “to get all you big sister's passwords.”

Of course, any security feature should be considered compromised once a computer is physically handed off to someone else. Given Google’s incessant touting of its seemingly secure browser, though, Kember said he’d expect the company to offer something a bit better.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be it’s this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay,” Kember says.

What’s more, though, is that one of Google’s developers has since weighed in on the exploit and said there are no plans to roll out a solution in the next Chrome release.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works,” Chrome’s Justin Schuh wrote on Hacker News. “We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything.”

Similar exploits have been discovered previously in competing browsers like Mozilla’s FireFox and Microsoft’s Internet Explorer, but developers with those companies made changes to patch up problematic security holes. Given Google’s blatant disregard for developing a solution, though, Berners-Lee called the company’s handling of the issue “disappointing.”

How to get all you big sister's passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.

— Tim Berners-Lee (@timberners_lee) August 6, 2013