Google Chrome password access bug discovered

Security flaw shows details of all stored logins in Settings panel.

Chrome

A security flaw has been uncovered in Google's Chrome web browser that can give anyone unfettered access to users' stored logins, and there are reportedly no plans to fix it.

The bug was discovered by software developer Elliott Kember, who found that in the password section of the browser's settings panel, saved passwords can be revealed in plain text simply by clicking a button labelled show'.

Advertisement - Article continues below

Every day, millions of normal, everyday users are saving their passwords in Chrome.

"There's no master password, no security, not even a prompt that these passwords are visible'," said Kember in a blog highlighting the problem.

Kember said while some developers are aware of this flaw, everyday users are not.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this.

"They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay," he said.

However, Justin Schuch, Chrome browser security tech lead at Google, said this is not a fault and the company is not going to change it.

Advertisement
Advertisement - Article continues below

"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre," he wrote on Hacker News.

Advertisement - Article continues below

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," he concluded.

While many commenters agreed a master password or other additional security layer would not stop a determined and knowledgeable hacker, they argued it would help prevent crimes of opportunity.

In a Tweet, Tim Berners-Lee, inventor of the World Wide Web, described the flaw as "how to get all [your] big sister's passwords" and said the reply from Schuh was "disappointing".

Another set of security bugs have also been found in the past 48 hours, this time affecting a number of Mozilla products.

Advertisement - Article continues below

The foundation has released updates for Firefox 23.0, Firefox ESRT 17.0.8, Thunderbird 17.0.8 Thunderbird ESR 17.0.8 and Seamonkey 2.20 to address multiple vulnerabilities that could, according to an advisory notice from the United States Computer Emergency Readiness Team (US-CERT), allow hackers to remotely cause a denial of service condition, conduct a cross-site scripting attack, execute arbitrary code, or bypass restrictions.

Administrators and users of these services are advised to apply the updates in order to avoid falling victim to an attack.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
Chrome disables feature that curtailed its memory-hogging ways
web browser

Chrome disables feature that curtailed its memory-hogging ways

16 Jul 2020
Why I’m leading a browser double life
web browser

Why I’m leading a browser double life

8 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020