Google Chrome password access bug discovered

Security flaw shows details of all stored logins in Settings panel.

Chrome

A security flaw has been uncovered in Google's Chrome web browser that can give anyone unfettered access to users' stored logins, and there are reportedly no plans to fix it.

The bug was discovered by software developer Elliott Kember, who found that in the password section of the browser's settings panel, saved passwords can be revealed in plain text simply by clicking a button labelled show'.

Every day, millions of normal, everyday users are saving their passwords in Chrome.

"There's no master password, no security, not even a prompt that these passwords are visible'," said Kember in a blog highlighting the problem.

Kember said while some developers are aware of this flaw, everyday users are not.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this.

"They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay," he said.

However, Justin Schuch, Chrome browser security tech lead at Google, said this is not a fault and the company is not going to change it.

"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre," he wrote on Hacker News.

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," he concluded.

While many commenters agreed a master password or other additional security layer would not stop a determined and knowledgeable hacker, they argued it would help prevent crimes of opportunity.

In a Tweet, Tim Berners-Lee, inventor of the World Wide Web, described the flaw as "how to get all [your] big sister's passwords" and said the reply from Schuh was "disappointing".

Another set of security bugs have also been found in the past 48 hours, this time affecting a number of Mozilla products.

The foundation has released updates for Firefox 23.0, Firefox ESRT 17.0.8, Thunderbird 17.0.8 Thunderbird ESR 17.0.8 and Seamonkey 2.20 to address multiple vulnerabilities that could, according to an advisory notice from the United States Computer Emergency Readiness Team (US-CERT), allow hackers to remotely cause a denial of service condition, conduct a cross-site scripting attack, execute arbitrary code, or bypass restrictions.

Administrators and users of these services are advised to apply the updates in order to avoid falling victim to an attack.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Asus Chromebook CX1 (CX1100CN) review: A cut-price compromise
Laptops

Asus Chromebook CX1 (CX1100CN) review: A cut-price compromise

15 Oct 2021
Google reveals five high-risk flaws in Chrome browser
vulnerability

Google reveals five high-risk flaws in Chrome browser

3 Sep 2021
Challenging the rules of security
Whitepaper

Challenging the rules of security

23 Aug 2021
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021