It turns out, finding out your passwords via Google Chrome is extremely easy. A recent blog posted Tuesday by a software developer named Elliot Kember, described how simple it was to find out your Chrome saved passwords with just a few steps. Not only is it simple, but any one using Chrome can take advantage of the trick to reveal the passwords as plain old text. So, should you worry about the passwords you have saved in your Chrome? Yeah, probably.
Google Chrome Vulnerable to Easy Password Theft
Did you know that you can go check a list of every website that you have a saved password for? It is just in your Chrome settings menu, but all of the passwords are hidden away behind the usual line of asterisks. That is until you click on the website name, then click Show, and suddenly your password is a very visible line of text. People have voiced some serious outrage over the fact that Google doesn’t even offer you the ability to have a master password to secure your other passwords for viewing. One password to rule them all, if you will.
Chrome security head Justin Schuh defended the lack of a master password on Hacker News.
I’m the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.
Some are arguing that this lack of a master password only serves to give people a false sense of security. Google can at least feel good that they’re not the only ones offering browsers who have had this flaw at some point. Of course, the rest of the browsers fixed that issue a while ago. So, for the rest of us using Chrome, it’s probably time to disable saved passwords.