Poor design decision in Chrome makes it easy to steal passwords

Chrome password feature

The browser market is one the most competitive landscapes in the tech industry with Google, Microsoft, Firefox and Apple all pushing their respective products. While Microsoft has been running media campaigns for Internet Explorer to help reshape its image and Firefox has also been doing a bit of new marketing for its platforms as well, the market is fiercely competitive with IE keeping the market share crown, for now.

Chrome, on the other hand, has been running advertisements but not nearly as aggressively as Microsoft, but thanks to a new and somewhat serious design decision, Google will need to find a way to avoid the impending black eye from security researches and the general public.

While some are calling this a ‘flaw’ of Google Chrome, which would This is a poor design decision that was intentionally put in place indicate that this was an unintentional issue, the fact is, the process to uncover the passwords, which are viewed in plain text, is a poor design decision that was intentionally put in place. The easily accessible plain-text passwords can allow anyone using your machine to lift your confidential data in seconds, if they know what they are doing.

To access the plain-text passwords in Chrome, click settings -> show advanced settings -> manage saved passwords -> then you click “show password” next to each item to reveal the individual password for that account. As noted, by performing this process, it’s clearly a feature of Chrome, albeit, if someone uses your personal machine and knows this trick, they can easily steal your passwords.

Google has indicated to the Guardian that it has no plans to lock down this feature.

If you are using Firefox, that browser has a very similar feature Firefox has a similar issue that presents your passwords in plan text but does provide the option of putting a master-password on your account to prevent such nefarious activities. But, as Frank Becker pointed out on Twitter, that feature is unchecked by default, so Firefox has nearly the same issue as Chrome.

Suffice to say, letting anyone use your machine if you use these browsers should be done so with caution, as it only takes a few clicks to steal your sensitive information. If there is enough backlash, we suspect Chrome and Firefox will eventually force the master password feature to protect the end user but as it stands now, it’s quite easy to steal the sensitive information from both Chrome and Firefox users.

Via: Guardian

Report a problem with article
Previous Story

Amazon offers digital downloads for UK customers

Next Story

Crossbar: RRAM will have twice the density of NAND for the same cost

80 Comments

Commenting is disabled on this article.

I'm pretty sure firefox does the same thing. Anyway, if someone has physical access to your account your security is already compromised.

"serious design flaw"?
really?
how can one be worried 'bout stolen passwords while letting someone access your machine in the first place, it's like worrying about someone see your personal documents in the drawer while letting the house's front door open, it's ridiculous.

also this isn't a new feature from Chrome.

I just tried this and I don't get the "show" button.

edit: never mind, I didn't CLICK on the password field, I was just hovering over it before. Now I get the button.

I thought it's a rather convenient feature.
Sometimes I forgot my password and I just pop in chrome to take a peek.

Of course, passwords with access to my real identity are not saved.
I saved only passwords of disposable accounts.

And if you enter your credentials upon setup, which a lot of people do, then Windows 8 ties your user account to your Windows Live account. So if somebody comrpomises your Windows Live account, which has happened to me before and I do NOT use simple passwords, then they may also have access to your stored IE passwords. Reference this screenshot:
http://ubuntuone.com/4mhlBvOXIxl8c0rOjL1CAD

one of the reason i use chrome as my 2nd browser of choice, after firefox (with the master password of course always enabled)!

Oh, look. Another one of Brad's "Bash anything not made by MS" articles. As others have already pointed out, and something you should have known as a tech writer, physical access to the machine already negates any and all security you could have in place. Even more so when this "flaw" requires one to be logged into the machine to begin with.

If you are in an Active Directory environment and add the Google Chrome ADMX policy templates, it has an option to disable the viewing of stored passwords in plain text.

I understand that's not helpful for home users, but wanted to throw that out there as an FYI.

OK, so this article has the access to the passwords as click here there and there, and everyone seems to be focused on physical access to the PC.

Another story I read said you can get to the page with chrome://something/something.....
Would this not open that password store up to anyone with some JS knowledge?

chrome is the slowest browser i have ever used. it takes ages to start and consumes so much memory it is insane

DaveBG said,
chrome is the slowest browser i have ever used. it takes ages to start and consumes so much memory it is insane

Confirmed. I just opened up the same site in IE10, FF, and Chrome.

IE used 61K memory
Chrome opened up four processes each using between 60k and 85k memory
FireFox used 171k memory

Thrackerzod said,
Your computer must be really terrible, or are you just making that because your a Firefox/IE fan?

i have several computers and also work as support. chrome is the heaviest browser

This exists in OS X on Safari, and on Windows and OS X and Linux with Firefox too. I'm pretty sure you can use a javascript bookmarklet to do the same on IE, also.

How in the world is this news?

Whatever, as soon as someone gains access to your computer you've already lost all hope of security. You can easily decrypt the passwords that IE stores in the registry.

Don't you have a password protected user session to protect your stuff already?

If someone has access to your session and wants to screw you up with your saved passwords, getting them to not show up in the browser settings doesn't really solve anything, they could just copy your whole browser's profile and use it on another computer.

The issue here seems to be basically that if you don't bother protecting your session then your stuff is not safe. Fair enough, right?

LogicalApex said,
Is this all that different from IE 10? Which has a eye icon that when clicked will expose the clear text password.

This only works with passwords you have manually entered. Automatically filled in passwords do not have the icon.

LogicalApex said,
Is this all that different from IE 10? Which has a eye icon that when clicked will expose the clear text password.
No, it's not. You can only view the password when filled in on the right site and only if it's not a remembered password, however, then you already have to know the password before you can look what's the password.

siah1214 said,

This only works with passwords you have manually entered. Automatically filled in passwords do not have the icon.

Ah I interesting. I don't think I've ever saved a password in IE 10 which is why I wasn't aware that it made this distinction.

To be fair to Google though you can use one of a zillion utilities to unmask password boxes on Windows. I haven't used any in the post UAC era, but I'm sure they don't require UAC elevation for non-elevated processes like a browser.

Studio384 said,
No, it's not. You can only view the password when filled in on the right site and only if it's not a remembered password, however, then you already have to know the password before you can look what's the password.

But you can still get the value using javascript. So if you have physical access to the computer you're still screwed.

To the author of the article: stop trying to force IE upon us readers. Most of us believe in common sense, and wouldn't save passwords in the first place on a family/shared computer - that's just stupid.

As I have a different password for every site I logon to, it's sometimes handy to refer back to a password list in case I forget (one).

It would be good if you had to enter a password to view the passwords list though...

Edited by 68k, Aug 7 2013, 1:02pm :

I'm not saying it sucks. I choose not to use it, due to it's limited customization options. Users of XP have to put up with IE 8... or they can choose something "modern" like Firefox or Chrome.

The latest public version of IE is a big step forward (at last).

68k said,
I'm not saying it sucks. I choose not to use it, due to it's limited customization options. Users of XP have to put up with IE 8... or they can choose something "modern" like Firefox or Chrome.

The latest public version of IE is a big step forward (at last).

lol, users of a 13 year old operating system searching for something more "modern"

I don't see it as the big problem... if someone can access your computer under your account... then they can do whatever more harm than this.... The point is if someone can get into your computer and can access your account then it's the END.

Kasteo said,
I don't see it as the big problem... if someone can access your computer under your account... then they can do whatever more harm than this.... The point is if someone can get into your computer and can access your account then it's the END.

This is exactly the point. Security starts and ends with the user. If you give physical access to the machine and account then you have given away any notion of security.

Tempus said,
This is exactly the point. Security starts and ends with the user. If you give physical access to the machine and account then you have given away any notion of security.

Agreed entirely. I'm not one to defend Google (ever), but if someone's already at your computer and logged into your account, then having these browser passwords shown is just a very small part of the damage that can be made.

Kasteo said,
I don't see it as the big problem... if someone can access your computer under your account... then they can do whatever more harm than this....
I partially disagree - if your computer is unlocked then sure someone can log into forums and stuff and do bad stuff while they're physically at your computer. (I'm thinking a co-worker at work using your accidentally unlocked desktop) If they have a 30 second method to get all your saved plain text passwords, then they know all of your passwords and can cause problems whenever they want, without needing to worry about time before they get caught, and probably see your password patterns and guess all your other passwords, PINs, etc. Subtle difference.

I don't get what is the problem?.
a) the user entered the password, then it is pointless to try to hide it (unless you can **** off users, i.e. iexplorer behavior).
b) the password is already entered then it is displayed in the web. Then it is also pointless since it is possible to see it in the source code of the page.

I don't see the problem.

Either create a login account or keep people you don't trust away from your stuff.

Firefox is exactly the same, go into your security, click "saved passwords", click "show passwords", when it asks if you're sure, click "yes"

Apparently the only company that cares about your passwords staying hidden is Microsoft....

siah1214 said,

Apparently the only company that cares about your passwords staying hidden is Microsoft....

Because there aren't many other ways to recover those passwords...

Just to name one:
http://www.nirsoft.net/utils/internet_explorer_password.html

If people have access to your machine, there's little you can do if you don't use a third-party tool. Heck, I can log right into your account using Kon-Boot. Don't even need the password. BTW, that's for MICROSOFT Windows.

farmeunit said,

Because there aren't many other ways to recover those passwords...

Just to name one:
http://www.nirsoft.net/utils/internet_explorer_password.html

If people have access to your machine, there's little you can do if you don't use a third-party tool. Heck, I can log right into your account using Kon-Boot. Don't even need the password. BTW, that's for MICROSOFT Windows.


No, you couldn't, because I have a UEFI bios (which beats Kon Boot)
Windows Defender won't even let ie passview onto my computer (I had to disable that and smart screen to get it to work)

That's much more difficult (system level changes that only an administrator can make) than popping into your options and clicking a button.

siah1214 said,
Windows Defender won't even let ie passview onto my computer

LOL, okay, good luck with that. In truth, full hard drive encryption is the only way to keep your information safe, assuming someone else has physical access to your computer.

sphbecker said,

LOL, okay, good luck with that. In truth, full hard drive encryption is the only way to keep your information safe, assuming someone else has physical access to your computer.


You totally ignored the next part where I did disable it and got it work? As far as drive encryption goes, it's a good thing I have bitlocker then, eh? >.< A few steps and my computer is fort knox. Good luck getting anything off of it.

siah1214 said,

No, you couldn't, because I have a UEFI bios (which beats Kon Boot)
Windows Defender won't even let ie passview onto my computer (I had to disable that and smart screen to get it to work)

That's much more difficult (system level changes that only an administrator can make) than popping into your options and clicking a button.

False, Kon-Boot is able to boot through UEFI: https://twitter.com/theLEAD82/status/322003201547186179

siah1214 said,

You totally ignored the next part where I did disable it and got it work? As far as drive encryption goes, it's a good thing I have bitlocker then, eh? >.< A few steps and my computer is fort knox. Good luck getting anything off of it.

I wasn't saying good luck getting Windows Defender to block something, that isn't hard. I meant good luck if you expect Windows Defender to protect you when someone has physical access to your computer, it will not. Glad to hear you are running BitLocker. Its great and really easy to setup!

sviola said,
Easy fix: don't let the browser save your passwords.

or let you select a master password for decryption. or dont allow a user to show them at all

-adrian- said,

or let you select a master password for decryption. or dont allow a user to show them at all
I'm pretty sure it encrypts it without a password too, but obviously reveals them in the UI upon request. And the Master Password feature I use, but it needs a lot of work. For example, the master password must be typed in to login with saved passwords anywhere. And so a master password window pops up to enter it. The problem with that is it can end up behind Firefox which can be annoying... It'd be much better if the master password dialog was incorporated into the browser's UI or was only required to look at other passwords.

kurupy said,
Err... hasn't it been like this for a while?

I wouldn't be worried. Chrome is awesome and IE sucks, as long as you don't use IE then you don't have anything to worry about.

sphbecker said,

I wouldn't be worried. Chrome is awesome and IE sucks, as long as you don't use IE then you don't have anything to worry about.

This is sarcasme. Right?

It's also like this in Firefox well before Chrome came about. At least the last time I used it anyway... a few years ago.

Guest accounts exist for a reason. It's very simple, just don't share your accounts with anyone, not Windows accounts, not Google accounts, nothing.

This...

It is too simple to provide a Guest or even a full MS Account (Windows 8) on your system for others to use.

As much as I would like to jump on Google sucks, in reality, if you are letting a person use your computer that is logged in as you, they can already access (even by accident) a lot of local and online content.

Even with your spouse, they should have a separate account on the same computer, even if you share your password with them. This allows them and you to have your own settings and preferences.

Spicoli said,
How can browsers be a competitive marketplace when no one charges for them?

That my friend - can be answered by the EU

I can recommend KeePass password databases to everyone. No need to store passwords in the browser, browser plugins can fill the passwords for you even in sights that dont allow the browser to fill the passwords like banking sites and you can easly generate passwords whilest new accounts are created to have a random password on every account. In combination with a Cloud drive it is accessible from different locations and encrypted.

This. I have a very long password including symbols not found on a desktop keyboard which I use as a master password for my KeePass database stored in my SkyDrive. Accessible from all computers and even my Windows Phone.

Wow - it's the same on OS X. Why don't they just let Keychain (on OS X anyway) do it's job. Store passwords in there, you can access them with the user password.

Brian M said,
Wow - it's the same on OS X. Why don't they just let Keychain (on OS X anyway) do it's job. Store passwords in there, you can access them with the user password.

I've had the same question about lots of stuff chrome does... heck why not use the favorites folder in windows to store favorites?... you know stuff MS tried to standardize in their OS but no one seems to adhear to...

Max Norris said,
Disable the built in password manager and use a different one like LastPass or whatever.

Always do disable ANY password manager and wouldn't use a third party one in a million years!

Don't use Chrome either, but other browsers do have that password manager junk in them.

pack34 said,
His or her brain?

Sure, if you use the same easily guessed password on every site maybe. Try remembering a bunch of strong passwords, each site having one that's unique.. something along the lines of "EBv2pATIojG5jPbc".

SharpGreen said,

lol. That would just make your PWs 100x easier to steal. Unless you encrypted it.

Which I believe is what Lastpass does. Use it. Love it.

Max Norris said,

Sure, if you use the same easily guessed password on every site maybe. Try remembering a bunch of strong passwords, each site having one that's unique.. something along the lines of "EBv2pATIojG5jPbc".

That's not a particularly strong password. And remembering actual strong passwords isn't particularly hard, just requires a bit of initial repetition.

Of course you need to avoid being over paranoid. A password for your online banking should be considerably more complex than one for something like an online forum!!

mattm591 said,
That's not a particularly strong password. And remembering actual strong passwords isn't particularly hard, just requires a bit of initial repetition.

It was just a random keyboard mash to show an example versus something "original" like "PasswordX" or "54321" other such nonsense. Mine are considerably more complex and each one is unique, my own personal vault currently has 238 entries in it. Good luck memorizing all that.

mattm591 said,
Of course you need to avoid being over paranoid. A password for your online banking should be considerably more complex than one for something like an online forum!!

Nowadays I don't think you can be over paranoid.. if you haven't heard, web servers are hacked at an absurd rate, and it's not just online banking sites. Besides, the software manages them for you.. why do something stupid by using a weak password when it's doing the work for you anyway? Kind of surprised to see people actually arguing against better online security, especially when it takes less effort to do it.

SharpGreen said,

lol. That would just make your PWs 100x easier to steal. Unless you encrypted it.

Yep, if someone manages to comprimise my system (not happened in all the years of computing) and then steal the dull-named file, buried under a number of other folders, amongst other files.