Google’s Chrome browser has an massive flaw that gives users easy access to see “saved” passwords on the web.
Here’s how it works. If you use Chrome, go to chrome://settings/passwords.
You see this:
Hover over one of the of the passwords:
Hit “show,” and … WHOA: Your passwords are exposed:
This only happens on passwords that you have told Chrome to save. If you say “deny” when given a chance to save passwords, then nobody can see them.
It also only happens if you’re logged in to Chrome through a Google account, but Google encourages you to log into Chrome, and the full advantages of Chrome come from being logged in.
Google says it’s not going to change anything. Justin Schuh, the head of the Chrome security team, says that the only real way to keep your Chrome account safe is to never give anyone you don’t trust access to the account.
“The only strong permission boundary for your password storage is the OS user account,” he says, “So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theatre.”
This is sort of a crazy attitude.
There are a lot of situations where you might let someone you don’t know very well use your computer. For instance, a friend of a friend is at your apartment and asks to use your computer. You say, “OK.” Then that person quickly looks up your passwords and suddenly has access to your Facebook account, bank account, or work email, or whatever passwords you’ve saved.
Also, I bet people save a lot more passwords than they realise. For instance, when I checked my passwords, I saw a lot of saved passwords from my wife on my computer, who doesn’t use my computer all that often.
The easiest solution to this problem is a master password that you punch in before getting access to these saved passwords. Google says it doesn’t want to do that because it thinks that’s just giving people a false sense of security.