Security flaw in Chrome browser reveals plain-text passwords without authentication
A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.
Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.
Passwords are accessed by clicking the menu icon (top-right), selecting Settings, clicking Show advanced settings at the bottom of the screen and then, in the Passwords and forms section, clicking Manage saved passwords. Passwords are initially obscured, but clicking the obscured password displays a Show button which then reveals the plain text password.
We’ve just tried it here, and it works. Bizarrely, Google’s Chrome developer team, Justin Schuh, is cited as saying Google is aware of the weakness but has no plans to fix it. Worldwide web inventor Tim Berners-Lee described Google’s response as “disappointing”, describing it in whimsical terms as “how to get all your big sister’s passwords.”
Although someone would need physical or remote access to the computer to do this, there are many shared computers in both home and work environments. Although it could be argued that access to the machine allows you to simply login to any of the stored sites directly, the difference here is that you’d be able to note a login and then use it later on a different machine.
Most browsers have a similar password-reveal function, but require a master password to be entered before passwords are displayed. In Safari on a Mac, logins are stored in Keychain, and your Mac password is required to reveal website passwords.