Skip to main content

Security flaw in Chrome browser reveals plain-text passwords without authentication

Image: thehayden.org

Image: thehayden.org

The Guardian reports that a security flaw in Chrome allows anyone with access to a computer to view all of the saved logins without requiring any form of authentication.

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Passwords are accessed by clicking the menu icon (top-right), selecting Settings, clicking Show advanced settings at the bottom of the screen and then, in the Passwords and forms section, clicking Manage saved passwords. Passwords are initially obscured, but clicking the obscured password displays a Show button which then reveals the plain text password.

We’ve just tried it here, and it works. Bizarrely, Google’s Chrome developer team, Justin Schuh, is cited as saying Google is aware of the weakness but has no plans to fix it. Worldwide web inventor Tim Berners-Lee described Google’s response as “disappointing”, describing it in whimsical terms as “how to get all your big sister’s passwords.”

Although someone would need physical or remote access to the computer to do this, there are many shared computers in both home and work environments. Although it could be argued that access to the machine allows you to simply login to any of the stored sites directly, the difference here is that you’d be able to note a login and then use it later on a different machine.

Most browsers have a similar password-reveal function, but require a master password to be entered before passwords are displayed. In Safari on a Mac, logins are stored in Keychain, and your Mac password is required to reveal website passwords.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. djsparky2009 - 11 years ago

    And no plans to fix it….good grief

  2. “google development team” can say whatever they want. They will be told to resolve the issue asap…

  3. William Judd (@wsjudd) - 11 years ago

    This has been true since Chrome launched… kind of amusing that everyone is only freaking out about it now.

  4. Moises Agudo - 11 years ago

    but, but, but, it’s an open architecture

  5. Tristan (@Tkf530) - 11 years ago

    It’s okay. The NSA has all my passwords already.

  6. Dan Bennett (@DanBennett) - 11 years ago

    This has been around for years.
    And it’s great! Takes a while to find but its great for when you forget a password.

    I enjoy it!

    Just don’t give someone access to your computer if you dont trust them. And have a lock on your password.

    Lets stop being so anal with “security” and bring some common sense in ffs!

  7. teilo - 11 years ago

    First of all, chrome on the Mac works exactly like Safari, because passwords are stored in the OS X keychain. Second, Firefox on all platforms works exactly like chrome on Windows. No password required. This is by design.

  8. Diji (@Diji) - 11 years ago

    Firefox has this same “flaw”. Go to Preferences, Security, and click on Saved Passwords. In the dialog that appears, click “Show Passwords”. Is this really an issue? If someone has physical access to your computer, your passwords may not be your only worry.

  9. NQZ (@surgesoda) - 11 years ago

    FireFox has the same problem and the “master password” option to protect this is NOT enabled by default.

  10. Joel Senders - 11 years ago

    Everyone who is saying this isn’t a problem clearly does not administrate any kiosk machines or shared-use machines in a large environment.

    It is a major security problem.

  11. If someone has physical access to your pc, your passwords on chrome is not your biggest worry. I think the title of this article should be changed to: “Major security flaw in all computers – Users can choose not to password protect their computer”. THAT is what the problem is here, not chrome.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear