The Guardian reports that a security flaw in Chrome allows anyone with access to a computer to view all of the saved logins without requiring any form of authentication.
A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.
Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.
Passwords are accessed by clicking the menu icon (top-right), selecting Settings, clicking Show advanced settings at the bottom of the screen and then, in the Passwords and forms section, clicking Manage saved passwords. Passwords are initially obscured, but clicking the obscured password displays a Show button which then reveals the plain text password.
We’ve just tried it here, and it works. Bizarrely, Google’s Chrome developer team, Justin Schuh, is cited as saying Google is aware of the weakness but has no plans to fix it. Worldwide web inventor Tim Berners-Lee described Google’s response as “disappointing”, describing it in whimsical terms as “how to get all your big sister’s passwords.”
Although someone would need physical or remote access to the computer to do this, there are many shared computers in both home and work environments. Although it could be argued that access to the machine allows you to simply login to any of the stored sites directly, the difference here is that you’d be able to note a login and then use it later on a different machine.
Most browsers have a similar password-reveal function, but require a master password to be entered before passwords are displayed. In Safari on a Mac, logins are stored in Keychain, and your Mac password is required to reveal website passwords.
FTC: We use income earning auto affiliate links. More.
And no plans to fix it….good grief
“google development team” can say whatever they want. They will be told to resolve the issue asap…
This has been true since Chrome launched… kind of amusing that everyone is only freaking out about it now.
but, but, but, it’s an open architecture
It’s okay. The NSA has all my passwords already.
This has been around for years.
And it’s great! Takes a while to find but its great for when you forget a password.
I enjoy it!
Just don’t give someone access to your computer if you dont trust them. And have a lock on your password.
Lets stop being so anal with “security” and bring some common sense in ffs!
First of all, chrome on the Mac works exactly like Safari, because passwords are stored in the OS X keychain. Second, Firefox on all platforms works exactly like chrome on Windows. No password required. This is by design.
See previous reply.
Firefox has this same “flaw”. Go to Preferences, Security, and click on Saved Passwords. In the dialog that appears, click “Show Passwords”. Is this really an issue? If someone has physical access to your computer, your passwords may not be your only worry.
Firefox allows you to protect them with a master password
FireFox has the same problem and the “master password” option to protect this is NOT enabled by default.
Everyone who is saying this isn’t a problem clearly does not administrate any kiosk machines or shared-use machines in a large environment.
It is a major security problem.
If someone has physical access to your pc, your passwords on chrome is not your biggest worry. I think the title of this article should be changed to: “Major security flaw in all computers – Users can choose not to password protect their computer”. THAT is what the problem is here, not chrome.