IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google Chrome password access bug discovered

Security flaw shows details of all stored logins in Settings panel.

Chrome

A security flaw has been uncovered in Google's Chrome web browser that can give anyone unfettered access to users' stored logins, and there are reportedly no plans to fix it.

The bug was discovered by software developer Elliott Kember, who found that in the password section of the browser's settings panel, saved passwords can be revealed in plain text simply by clicking a button labelled show'.

"There's no master password, no security, not even a prompt that these passwords are visible'," said Kember in a blog highlighting the problem.

Kember said while some developers are aware of this flaw, everyday users are not.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this.

"They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay," he said.

However, Justin Schuch, Chrome browser security tech lead at Google, said this is not a fault and the company is not going to change it.

"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre," he wrote on Hacker News.

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," he concluded.

While many commenters agreed a master password or other additional security layer would not stop a determined and knowledgeable hacker, they argued it would help prevent crimes of opportunity.

In a Tweet, Tim Berners-Lee, inventor of the World Wide Web, described the flaw as "how to get all [your] big sister's passwords" and said the reply from Schuh was "disappointing".

Another set of security bugs have also been found in the past 48 hours, this time affecting a number of Mozilla products.

The foundation has released updates for Firefox 23.0, Firefox ESRT 17.0.8, Thunderbird 17.0.8 Thunderbird ESR 17.0.8 and Seamonkey 2.20 to address multiple vulnerabilities that could, according to an advisory notice from the United States Computer Emergency Readiness Team (US-CERT), allow hackers to remotely cause a denial of service condition, conduct a cross-site scripting attack, execute arbitrary code, or bypass restrictions.

Administrators and users of these services are advised to apply the updates in order to avoid falling victim to an attack.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mozilla adds paid tier, new features to developer network platform
web development

Mozilla adds paid tier, new features to developer network platform

25 Mar 2022
Asus Chromebook CX9 (CX9400CE) review: The most stylish Chromebook on the market
Laptops

Asus Chromebook CX9 (CX9400CE) review: The most stylish Chromebook on the market

18 Jan 2022
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

8 Dec 2021
Firefox 95 boosts protection against zero-day attacks
web browser

Firefox 95 boosts protection against zero-day attacks

7 Dec 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022