If you’re a Google Chrome user and you tend to let your browser save your passwords, take note. Due to poor programming on Google’s part, anyone with physical access to your machine can reveal all your passwords stored on Chrome, without the need for actually knowing any of them.
Web designer Elliot Kember called out Google and their slightly worrying way of handling passwords in Chrome. He highlighted the fact that all you need to do is visit chrome://settings/passwords on the browser to see a list of all the saved passwords. The passwords are of course shown as black dots as usual but it only takes one click to expose the full string of characters in plain-text. You can also access this same list through Chrome’s setting page.
This is on all operating systems that run Chrome, including Windows and Mac OS X.
Unfortunately for users that think Google would be scrambling by now to fix this, they’re not. In fact, they’re well aware of the issue and don’t plan to fix it. According to Google’s head of Chrome Security, Justin Schuh, they don’t want “to provide users with a false sense of security and encourage risky behavior.” He also adds that if an attacker were able to gain physical access to a machine, “the game was lost” because there would be “too many vectors for [the attacker] to get what he wants.”
It should be noted the same issue is found in Firefox, Opera, Safari, and Internet Explorer. If you use their built-in password managers, people can easily reveal your passwords. However, Chrome’s competitors implement a layer of security for stored passwords by allowing you to use a master password or a system password. A master password or system password makes it so no one can access your stored passwords without entering the master/system password first. Chrome doesn’t have any of that. And while there are definitely solutions out there that people can use (read: third-party password managers), not everyone uses them and not everyone is aware of this lack of security in Chrome.
If this doesn’t sound bad to you, try it out right now. I didn’t think it was a big deal at first but after seeing firsthand how easy it would be for someone to see all my saved passwords… I’m hoping Google will change their mind and fix the issue. False security and physical access notwithstanding, how hard would it be to implement even a simple extra bit of security?
Until it is fixed, if it ever is, I suggest you use a third-party password manager to keep your passwords safe.
[via Elliot Kember, Y Combinator, The Verge]