The Inquirer-Home

Chrome web browser password feature slammed as 'security flaw'

Not really a flaw
Thu Aug 08 2013, 11:53
Google Chrome logo

ALARMS HAVE BEEN RAISED about Google's Chrome web browser, with reports slamming the firm for a "security flaw" that allows users to view stored passwords from the settings panel.

Software developer Elliott Kember claimed in a blog post that he stumbled across the feature while importing bookmarks from Apple's Safari to Chrome on his Apple machine. Perhaps he just realised this because until now he's been using Safari.

It struck Kember as odd that he was not able to uncheck a "saved passwords" option on the import settings menu that popped up, which led him to find that all saved passwords in Chrome can be displayed in plain text via the settings panel.

"There's no master password, no security, not even a prompt that 'these passwords are visible,'" Kember warned in his blog post entitled "Chrome's insane password security strategy".

Though he does have a point that in Chrome you can view your own passwords rather easily, what some reports are missing is that this isn't really a "flaw" as such, and it definitely isn't anything new.

Chrome has been built this way for quite some time, and what many reports haven't mentioned is that the user has to be logged into the web browser to access saved passwords through the menu.

The saved passwords feature exists to help people view their passwords if they forget them.

Perhaps it could be said that it is the fault of the user if they decide not to log out after a session of web browsing on another person's computer, or allow someone else to use their Chrome browser that they don't trust without logging out first.

If people are concerned about security, they should protect their accounts with OS level or device level security settings, like passwords or screen prompts. If a user shares their PC, smartphone or tablet with someone that they don't fully trust, then that person could simply go directly to the device owner's Gmail account or Facebook page to snoop, provided that the owner hasn't logged out like they would need to do in Chrome, too.

Google also takes this view and has said that this feature is not a security flaw. Chrome web browser security lead Justin Schuh responded to Kember in a blog post of his own.

Shuh wrote, "Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software," Schuh explained. "My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants."

Schuh went on to explain why Google, like Firefox, doesn't use a master password feature by default to help protect users' individual passwords.

"We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour," he added. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015