Poor design decision in Chrome makes it easy to steal passwords

Chrome password feature

The browser market is one the most competitive landscapes in the tech industry with Google, Microsoft, Firefox and Apple all pushing their respective products. While Microsoft has been running media campaigns for Internet Explorer to help reshape its image and Firefox has also been doing a bit of new marketing for its platforms as well, the market is fiercely competitive with IE keeping the market share crown, for now.

Chrome, on the other hand, has been running advertisements but not nearly as aggressively as Microsoft, but thanks to a new and somewhat serious design decision, Google will need to find a way to avoid the impending black eye from security researches and the general public.

While some are calling this a ‘flaw’ of Google Chrome, which would This is a poor design decision that was intentionally put in place indicate that this was an unintentional issue, the fact is, the process to uncover the passwords, which are viewed in plain text, is a poor design decision that was intentionally put in place. The easily accessible plain-text passwords can allow anyone using your machine to lift your confidential data in seconds, if they know what they are doing.

To access the plain-text passwords in Chrome, click settings -> show advanced settings -> manage saved passwords -> then you click “show password” next to each item to reveal the individual password for that account. As noted, by performing this process, it’s clearly a feature of Chrome, albeit, if someone uses your personal machine and knows this trick, they can easily steal your passwords.

Google has indicated to the Guardian that it has no plans to lock down this feature.

If you are using Firefox, that browser has a very similar feature Firefox has a similar issue that presents your passwords in plan text but does provide the option of putting a master-password on your account to prevent such nefarious activities. But, as Frank Becker pointed out on Twitter, that feature is unchecked by default, so Firefox has nearly the same issue as Chrome.

Suffice to say, letting anyone use your machine if you use these browsers should be done so with caution, as it only takes a few clicks to steal your sensitive information. If there is enough backlash, we suspect Chrome and Firefox will eventually force the master password feature to protect the end user but as it stands now, it’s quite easy to steal the sensitive information from both Chrome and Firefox users.

Via: Guardian

Report a problem with article
Previous Story

Amazon offers digital downloads for UK customers

Next Story

Crossbar: RRAM will have twice the density of NAND for the same cost

80 Comments

View more comments

siah1214 said,

This only works with passwords you have manually entered. Automatically filled in passwords do not have the icon.

Ah I interesting. I don't think I've ever saved a password in IE 10 which is why I wasn't aware that it made this distinction.

To be fair to Google though you can use one of a zillion utilities to unmask password boxes on Windows. I haven't used any in the post UAC era, but I'm sure they don't require UAC elevation for non-elevated processes like a browser.

Studio384 said,
No, it's not. You can only view the password when filled in on the right site and only if it's not a remembered password, however, then you already have to know the password before you can look what's the password.

But you can still get the value using javascript. So if you have physical access to the computer you're still screwed.

Don't you have a password protected user session to protect your stuff already?

If someone has access to your session and wants to screw you up with your saved passwords, getting them to not show up in the browser settings doesn't really solve anything, they could just copy your whole browser's profile and use it on another computer.

The issue here seems to be basically that if you don't bother protecting your session then your stuff is not safe. Fair enough, right?

Whatever, as soon as someone gains access to your computer you've already lost all hope of security. You can easily decrypt the passwords that IE stores in the registry.

This exists in OS X on Safari, and on Windows and OS X and Linux with Firefox too. I'm pretty sure you can use a javascript bookmarklet to do the same on IE, also.

How in the world is this news?

chrome is the slowest browser i have ever used. it takes ages to start and consumes so much memory it is insane

DaveBG said,
chrome is the slowest browser i have ever used. it takes ages to start and consumes so much memory it is insane

Confirmed. I just opened up the same site in IE10, FF, and Chrome.

IE used 61K memory
Chrome opened up four processes each using between 60k and 85k memory
FireFox used 171k memory

Thrackerzod said,
Your computer must be really terrible, or are you just making that because your a Firefox/IE fan?

i have several computers and also work as support. chrome is the heaviest browser

OK, so this article has the access to the passwords as click here there and there, and everyone seems to be focused on physical access to the PC.

Another story I read said you can get to the page with chrome://something/something.....
Would this not open that password store up to anyone with some JS knowledge?

If you are in an Active Directory environment and add the Google Chrome ADMX policy templates, it has an option to disable the viewing of stored passwords in plain text.

I understand that's not helpful for home users, but wanted to throw that out there as an FYI.

Oh, look. Another one of Brad's "Bash anything not made by MS" articles. As others have already pointed out, and something you should have known as a tech writer, physical access to the machine already negates any and all security you could have in place. Even more so when this "flaw" requires one to be logged into the machine to begin with.

one of the reason i use chrome as my 2nd browser of choice, after firefox (with the master password of course always enabled)!

And if you enter your credentials upon setup, which a lot of people do, then Windows 8 ties your user account to your Windows Live account. So if somebody comrpomises your Windows Live account, which has happened to me before and I do NOT use simple passwords, then they may also have access to your stored IE passwords. Reference this screenshot:
http://ubuntuone.com/4mhlBvOXIxl8c0rOjL1CAD

I thought it's a rather convenient feature.
Sometimes I forgot my password and I just pop in chrome to take a peek.

Of course, passwords with access to my real identity are not saved.
I saved only passwords of disposable accounts.

I just tried this and I don't get the "show" button.

edit: never mind, I didn't CLICK on the password field, I was just hovering over it before. Now I get the button.

"serious design flaw"?
really?
how can one be worried 'bout stolen passwords while letting someone access your machine in the first place, it's like worrying about someone see your personal documents in the drawer while letting the house's front door open, it's ridiculous.

also this isn't a new feature from Chrome.

I'm pretty sure firefox does the same thing. Anyway, if someone has physical access to your account your security is already compromised.

Commenting is disabled on this article.