Home / Channel / Chrome browser can release your passwords in just a few clicks

Chrome browser can release your passwords in just a few clicks

UK programmer Elliott Kember has raised a concerning issue on his blog this week. Web browsers Google Chrome and Mozilla Firefox can reveal saved logged in user passwords in just a few clicks. According to The Register there is now a debate over whether this is a ‘common feature' or glaring security issue.

If the user is working in Chrome, you can key in chrome://settings/passwords – then click on a starred out saved website password and click on ‘show'. If you work in an office environment you can theoretically get the passwords of anyone in the office without much effort.

Kember said that it was a ‘silly feature' that needs fixing. “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know [Chrome] works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not OK.Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.”
Chrome-browser

Kember says that protecting these saved passwords with a main password would be a good move, protecting all saved details.

Chrome's team lead Justin Schuh said that if someone has direct and physical access to the computer then there is no point even trying to protect those passwords as anything can be broken with the machine in hand. He said “I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behaviour. That's just not how we approach security on Chrome.”

The Register add that Firefox is also vulnerable. Open preferences, hit the ‘Saved Passwords' button in the security tab and then press ‘show passwords'. That said, a master password can be set up in Firefox to protect credentials. Opera follows the same structure of a ‘master' password.

Kitguru says: Is this an important issue? or should you realistically never let anyone use your computer without supervision anyway?

Become a Patron!

Check Also

EKWB Whistleblower Dan Henderson speaks to KitGuru

Following on from our recent interview with EKWB's CEO, Leo is now getting the other side of the story, straight from Dan Henderson himself, the one who initially acted as the 'whistleblower' for EKWB's internal issues.

4 comments

  1. I was right, never let a browser store your passwords.

  2. also the same think happens to firefox too but the firefox has a master password ability you can say to me but the default settings doesn’t require a master password and doesn’t inform the user about it ither .Best solution if to logoff your account everytime yoy are away from your system.

  3. Simply lock your computer when you go away from it and if anybody needs to use it, create them their own non-admin account. Simples

  4. Not a big issue really… and sometimes I’ve taken advantage of this feature in order to remember a password I’ve forgotten.

    Anyone that paranoid about their passwords should use LastPass.