Google Chrome password access bug discovered


A security flaw has been uncovered in Google's Chrome web browser that can give anyone unfettered access to users' stored logins, and there are reportedly no plans to fix it.

The bug was discovered by software developer Elliott Kember, who found that in the password section of the browser's settings panel, saved passwords can be revealed in plain text simply by clicking a button labelled show'.

Every day, millions of normal, everyday users are saving their passwords in Chrome.

"There's no master password, no security, not even a prompt that these passwords are visible'," said Kember in a blog highlighting the problem.

Kember said while some developers are aware of this flaw, everyday users are not.

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority. They don't know it works like this.

"They don't expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay," he said.

However, Justin Schuch, Chrome browser security tech lead at Google, said this is not a fault and the company is not going to change it.

"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre," he wrote on Hacker News.

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," he concluded.

While many commenters agreed a master password or other additional security layer would not stop a determined and knowledgeable hacker, they argued it would help prevent crimes of opportunity.

In a Tweet, Tim Berners-Lee, inventor of the World Wide Web, described the flaw as "how to get all [your] big sister's passwords" and said the reply from Schuh was "disappointing".

Another set of security bugs have also been found in the past 48 hours, this time affecting a number of Mozilla products.

The foundation has released updates for Firefox 23.0, Firefox ESRT 17.0.8, Thunderbird 17.0.8 Thunderbird ESR 17.0.8 and Seamonkey 2.20 to address multiple vulnerabilities that could, according to an advisory notice from the United States Computer Emergency Readiness Team (US-CERT), allow hackers to remotely cause a denial of service condition, conduct a cross-site scripting attack, execute arbitrary code, or bypass restrictions.

Administrators and users of these services are advised to apply the updates in order to avoid falling victim to an attack.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.