Chrome password security found to be flawed, but Google basically says aren’t we all

Chrome users’ website passwords can be easily accessed in plain text, a software developer has pointed out. But don’t bother calling security: Google knows about it, and the engineer in charge says the company has no plans to fix the flaw.

In a blog post titled “Chrome’s insane password security strategy,” developer Elliott Kember details how evildoers, or maybe those who are just plain nosy, could access passwords saved in Google’s Chrome browser: A user would go to Settings, then Show advanced settings, then head to the Passwords and forms section and click Manage saved passwords. At first glance, the list of saved passwords looks safe because all one sees is asterisks, but clicking Show next to each password reveals it in plain text. Kember writes:

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market — the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay.

But Justin Schuh, who says on Hacker News (HT to the Guardian) that he’s the Chrome browser security tech lead, thinks differently. Schuh writes that giving anyone your Google password enables access to your Google accounts anyway, so to do things such as make it harder to view the saved passwords would be moot:

We don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

So what does all this mean for you, Chrome user? (The latest numbers show there are more and more of us.) If you use the browser on a computer that only you can access, it might be hard for you to get excited about the flaw; you might even consider it a feature that’s useful for looking up saved passwords. But if you have Chrome installed on more than one computer and any of them can be accessed by others — and you’re automatically signed in to the browser — then it could be a problem.

A couple of things you can do: Don’t save passwords when you use Chrome. But that could be a pain, a trading off of security for convenience. Or only save passwords for websites whose passwords you wouldn’t mind anyone seeing. You can also delete any saved passwords by taking the steps mentioned above and clicking on the X next to each one.


Photo: Google’s Eric Schmidt talks Chrome. (Associated Press archives)


Tags: , , ,


Share this Post

  • Bruce

    The same is true for other browsers. Lastpass on installation offers to import passwords stored in browsers. How secure is any browser’s saved passwords?

  • I have never had good luck with Chrome. It messed up my pc once and now I’m even wary of using it on my smartphone. Thanks for this article though. It might explain a few things.

  • babjunk

    “But if you have Chrome installed on more than one computer and any of them can be accessed by others — and you’re automatically signed in to the browser — then it could be a problem.”

    This is true for any browser on any machine. If you save passwords in a browser, and someone else can access your OS user account, they will have access to your passwords in Internet Explorer, Firefox, Chrome, Safari, etc. If you believe that a browser password will protect you from an attacker who has direct access to you computer, you are being fooled.

    This is a great example of a poorly written article in the Guardian being picked up and spewed out by other writers who don’t realize the story doesn’t make any sense.

    • Levi Sumagaysay

      Babjunk: The point is, saved passwords in Chrome can be seen in plain text. I never claimed that passwords automatically stored in other browsers can’t allow others to log in to websites using credentials that aren’t their own.

      • bruce

        Firefox does it. Why all the whoo-de-doo about Chrome?

  • This is a non-issue in that if you give someone access to your account and profile on your computer, you have already given the store away. And Firefox operates the same. And if Firefox, an ‘Open Source’ browser can import the info from IE, then IE is vulnerable too.

    So don’t let people use your computer!!

  • willy

    I’ve never used crome, because it’s easy to see that it is not safe.
    For a password to all Google services I solved
    with a very simple system , I redirected my email to another service.
    Now use the Google search engine without login. Easy

  • Amy Wilson

    For Any browser Tech Support Contact at: +1-844-833-8353