Chrome users’ website passwords can be easily accessed in plain text, a software developer has pointed out. But don’t bother calling security: Google knows about it, and the engineer in charge says the company has no plans to fix the flaw.
In a blog post titled “Chrome’s insane password security strategy,” developer Elliott Kember details how evildoers, or maybe those who are just plain nosy, could access passwords saved in Google’s Chrome browser: A user would go to Settings, then Show advanced settings, then head to the Passwords and forms section and click Manage saved passwords. At first glance, the list of saved passwords looks safe because all one sees is asterisks, but clicking Show next to each password reveals it in plain text. Kember writes:
In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market — the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay.
But Justin Schuh, who says on Hacker News (HT to the Guardian) that he’s the Chrome browser security tech lead, thinks differently. Schuh writes that giving anyone your Google password enables access to your Google accounts anyway, so to do things such as make it harder to view the saved passwords would be moot:
We don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.
So what does all this mean for you, Chrome user? (The latest numbers show there are more and more of us.) If you use the browser on a computer that only you can access, it might be hard for you to get excited about the flaw; you might even consider it a feature that’s useful for looking up saved passwords. But if you have Chrome installed on more than one computer and any of them can be accessed by others — and you’re automatically signed in to the browser — then it could be a problem.
A couple of things you can do: Don’t save passwords when you use Chrome. But that could be a pain, a trading off of security for convenience. Or only save passwords for websites whose passwords you wouldn’t mind anyone seeing. You can also delete any saved passwords by taking the steps mentioned above and clicking on the X next to each one.
Photo: Google’s Eric Schmidt talks Chrome. (Associated Press archives)