Google Chrome Security Flaw Offers Unrestricted Password Access

MEDIA, WHISTLEBLOWING - SURVEILLANCE, 12 Aug 2013

Charles Arthur – The Guardian

Plain text logon details for email, social networks and company systems stored in browser’s Settings panel.

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Seeing the passwords is achieved simply by clicking on the Settings icon, choosing “Show advanced settings…” and then “Manage saved passwords” in the “Passwords and forms” section. A list of obscured passwords is then revealed for sites – but clicking beside them reveals the plain text of the password, which could be copied, or sent via a screenshot to an outside site.

But the head of Google’s Chrome developer team, Justin Schuh, said he was aware of the weakness and that there were no plans to change the system.

That response was described by Sir Tim Berners-Lee, the British inventor of the web, as “disappointing”. He characterised the flaw as “how to get all your big sister’s passwords”.

Chrome is one of the three most widely-used browsers on desktops worldwide, along with Microsoft’s Internet Explorer and Mozilla’s Firefox. It has millions of users and is seen by some as crucial to Google’s future efforts to monetise web use, by tying users to Google accounts and synchronising between their desktop and mobile systems.

Elliott Kember, a UK-based software developer from New Zealand who discovered the flaw, commented: “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”

Other browsers have previously had similar flaws with password visibility – and closed them. In 2010, Firefox was revealed to use the same “plain text” storage that Chrome is being criticised for – and added a master password option requirement. Some versions of Microsoft’s Internet Explorer have also had the same failings. Apple’s Safari requires the user to enter a master password before it will show stored passwords.

Schuh wrote on Hacker News that “We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything.”

However the position was criticised by other developers. “A good safe is judged by the time required to break it,” wrote “marcgg”. “There is no safe that is unbreakable, you just need to put enough time, effort and noise to open it. Same thing could be applied here. Installing software, dump the cookies and so on requires time. Right now with this security a person could get my password in a couple of clicks with almost no technical knowledge.”

One security manager at a publishing company said: “The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak.”

Go to Original – theguardian.com

Share this article:


DISCLAIMER: The statements, views and opinions expressed in pieces republished here are solely those of the authors and do not necessarily represent those of TMS. In accordance with title 17 U.S.C. section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. TMS has no affiliation whatsoever with the originator of this article nor is TMS endorsed or sponsored by the originator. “GO TO ORIGINAL” links are provided as a convenience to our readers and allow for verification of authenticity. However, as originating pages are often updated by their originating host sites, the versions posted may not match the versions our readers view when clicking the “GO TO ORIGINAL” links. This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner.

Comments are closed.