Security flaw in Chrome allows access to stored passwords

08 Aug 2013

Chrome users take note - a security flaw in the browser allows people with access to your computer view all your stored passwords directly from the settings panel.

Software developer Elliott Kember discovered the vulnerability while importing his bookmarks from Apple's Safari browser to Google Chrome. The process required mandatory import of saved passwords from one browser to the other,  something he found odd.

After some more investigation, he found that Google did not protect passwords from being viewed when a user was logged in and running Chrome to any user. Users could access stored passwords by going to the advanced settings page and clicking on the ''Passwords and forms'' option, followed by ''Manage saved passwords''.

They could also just type "chrome://settings/passwords" into their browser search bar. The passwords were revealed in plain text just by clicking the 'show' button next to a list of obscured passwords. No option was available for adding security around stored passwords, nor could a master password to access them be added.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market – the users. The overwhelming majority," said Kember in a blog post.

"They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

Kember wants that the internet search company's browser  should at the least ask for a password before displaying the credentials in plain text, or warn that they could be accessed in full with a few clicks.

He told The Register, that at this stage, anything would be nice. He added Google was not acknowledging the fact that millions and millions of Chrome users did not understand how this worked. He added he would like to never ever see passwords in plain text without authenticating himself first.

In a response to Kember, Chrome's team lead Justin Schuh responded by arguing that if a miscreant had physical access to the computer then it was game over anyway, in terms of protecting the user's system.

He said he appreciated how this appeared to a novice, but the company had literally spent years evaluating it and had quite a bit of data to inform its position. He added, though what was being proposed was certainly well intentioned, it would make users less safe than they were today by providing them a false sense of security and encouraging dangerous behaviour.