Chrome security password flaw gives unrestricted access to your passwords

A security flawthat allows anyone using your computer to quickly look up all your saved passwords in the Chrome browser has been discovered, and worse still Google says it isn't going to fix it.

The security flaw can be found by typing chrome://settings/passwords into the URL bar.

Doing so reveals a list of all the user's saved accounts where the user has opted to save a password with that account in Google. While at first glance the password is blocked out, hovering over the bullet points allows you to show the password in full. 

"I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here," said Justin Schuh, on why Google isn't scrabbling to fix the issue.

"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre."

For users to be able to access the details they have to be signed into your Google account on your browser on your computer, but it doesn't stop people simply asking to borrow your browser for a minute or waiting till you've left your keyboard to quickly access the information without your knowing. 

The same page is also accessed via clicking on the Settings icon, choosing "Show advanced settings…" and then "Manage saved passwords" in the "Passwords and forms" section. After opting to show the password they remain on the screen allowing someone to quickly take a screen shot of all of them at once and forward it elsewhere. 

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works," adds Schuh in the post on ycombinator.com. "We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour.

"We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get."

Chrome is one of the most popular browsers on the internet. Most people click on the save password option to save their most secret passwords to the browser. Whether that practice will continue after this is yet to be seen.

 

 



>