How Google Chrome Lets Anybody See Your Passwords

BlackHat

Voter (50+ posts)
Elliot Kember, a software developer, discovered that anybody who clicks on the Chrome settings icon can see all of the passwords on that computer if he or she goes to the show advanced settings and passwords and forms sections.

Read more: http://blog.elliottkember.com/chromes-insane-password-security-strategy


His finding is also covered by the respected news agency the Guardian





Chrome does something interesting when you first run it.


Image%202013-07-31%20at%2012.28.00%20PM.png



The other day, I was using Chrome in development for an Ember.js app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome.


I decided to hit Chromes Import bookmarks now link and see whether I could import my bookmarklets from Safari, so things would be nice and consistent between the two browsers. I didnt expect this:


Image%202013-07-31%20at%2012.13.35%20PM.png



This struck me as particularly odd. Why is Saved passwords greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think its deeply misleading, and this is why:


This is a page in Chromes settings panel:


content.png

See that show button? It does what you think it does.
content.png

Theres no master password, no security, not even a prompt that these passwords are visible. Visit chrome://settings/passwords in Chrome if you dont believe me.


There are two sides to this. The developers side, and the users side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:



  • Just use 1Pass
  • The computer is already insecure as soon as you have physical access
  • Thats just how password management works


While all of these points are valid, this doesnt address the real problem: Google isnt clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. Its the mass market - the users. The overwhelming majority. They dont know it works like this. They dont expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
content.png

This dialog is even more misleading. By using words like confidential information and stored in your keychain, OSX describes the state of your saved passwords current security. Its the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password. When you visit a website, Chrome prompts for every password it can find for that domain.


Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click show on a few of the rows. See what they have to say.


I bet you it wont be Thats how password management works.


Updates:
Justin Schuh who is head of Chrome security and called me a novice, says Im wrong, and that this is not going to change.


Sir Tim Berners-Lee
is with me. Is there a higher authority?



This
is Googles page on saving passwords. Nothing about this feature. Why?



Covered in the press by:


 
Last edited by a moderator:

TONIC

Chief Minister (5k+ posts)
Password....everything is being recorded...everything..even your keystrokes...online security is myth.
 

gre8nation

MPA (400+ posts)
Show's nothing for me in Saved Passwords. Ha! Because I never save passwords! :)
you might be still not smarter as the passwords are in encrypted in cookies which can b decrypted with little effort .for minimum security you must reset your browser after use and delete cookies especially when you are in in internet cafe or someone else machine.
 

rashidfarooq

Senator (1k+ posts)
What strange ??
I think you do not know any thing about browsers. It is a common thing that each browser save the password with the permission of the user. and user can see the saved passwords any time. You can also see the saved passwords in Firefox and Internet Explorer.
 

BlackHat

Voter (50+ posts)
The problem which is pointed out here is the SHOW button, which when pressed dumps the password in clear PLAINTEXT. The other browsers encrypt your passwords and therefore it require some effort and proper knowledge to decrypt them.


What strange ?? I think you do not know any thing about browsers. It is a common thing that each browser save the password with the permission of the user. and user can see the saved passwords any time. You can also see the saved passwords in Firefox and Internet Explorer.
 

BHAAI

Senator (1k+ posts)
موزیلا زیادہ خطرناک ہے ، میں تو دوسروں کے کمپیٹر کھول کر انکے موزیلا سے پاسورڈ چراتا رہتا ہوں :banana:
 

uetian

Senator (1k+ posts)
موزیلا زیادہ خطرناک ہے ، میں تو دوسروں کے کمپیٹر کھول کر انکے موزیلا سے پاسورڈ چراتا رہتا ہوں :banana:

Un bycharon ko "Master Password" ka idea hee naahi, esi liye unkay passwords koi bhi chori ker lyta hay. Kabhi Mozilla ka MP urranay ko koshish kro na bhai (khushbu lga Kay)
 

rashidfarooq

Senator (1k+ posts)
The problem which is pointed out here is the SHOW button, which when pressed dumps the password in clear PLAINTEXT. The other browsers encrypt your passwords and therefore it require some effort and proper knowledge to decrypt them.
No, it is not a problem. there is also a "Show Password" button in Mozilla Firefox
showpwd.JPG