Google’s Chrome browser has been criticized over its password security, after a developer found that anyone logged into the same OS account could easily see any saved website passwords in plain text.
Google’s Chrome browser has been criticized over its password security, after a developer found that anyone logged into the same OS account – ie a colleague briefly sharing a PC, for instance – could easily see any saved website passwords in plain text.
Elliot Kember showed off how passwords can easily be seen in plain text in the “passwords” tab within Chrome, simply by pressing a button saying, “Show.”
Kember described Google’s password strategy as “insane”, saying, “Google isn’t clear about its password security. Users […] don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay.”
Google’s security tech lead responded to the post, saying that the feature was a conscious decision, and that when users granted someone else access to an OS user account, “they can get at everything.”
ESET Senior Research Fellow David Harley said, “It’s a really bad idea to save passwords in Chrome on a machine that can be accessed without authentication (obviously a bad idea in itself), or where an account is shared (also not good practice – especially on business machines – but probably not uncommon on home machines). I’d suggest that it’s usually better to use some sort of password manager to store your passwords than a browser…”
Justin Schuh, security tech lead for Chrome replied in detail to Kember’s post on Ycombinator saying, “The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.”
“Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”
Schuh said that master passwords merely provided users with a false sense of security, and that when users granted someone access to an OS user account, “they can get at everything.”
Author Rob Waugh /Rob Waugh, WeLiveSecurity/