Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google under fire for Chrome browser's password storage policy

Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.

Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.

The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.

Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.

Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.

Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:

Google isn’t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

The "vulnerability" does require that a snooping user already be logged into another user's account on a machine. The Chrome team is aware of the password opening, and despite the controversy likely will not adjust that aspect of security.



79 Comments

drblank 3384 comments · 18 Years

That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market. I'm glad I use only Safari and Firefox.

sflocal 6138 comments · 16 Years

If it were Apple, this would be on CNN, Fox, and Jon Stewart.

Since this is Google, it's irrelevant.  Fanboys and iHaters will simply call this a "feature" and hope everyone forgets about it in a week.

dickprinter 1058 comments · 16 Years

Quote:
Originally Posted by AppleInsider 

Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.

Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.

Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer.

 

 

Quote:
Originally Posted by drblank 

That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.

I'm glad I use only Safari and Firefox.

 

I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

disturbia 506 comments · 11 Years

As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent. Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs! On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.

ericthehalfbee 4489 comments · 13 Years

Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device. Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?