Huffpost Technology

Google In Hot Water Over Big Security Hole In Chrome

Posted: Updated:
Print

Google Chrome, the most popular web browser in the U.S., lets you save passwords for websites, so that every time you want to visit Facebook, Tumblr or any other password-secure page, you don't have to type them out again. But as one software developer discovered on Tuesday, that convenience comes at a cost.

Whenever someone uses your computer and opens Chrome, he or she has complete access to all your saved passwords with a few clicks of the mouse. Elliott Kember, a developer at design and development studio Riot, first pointed out the lax security on Chrome in a blog post on Tuesday.

To get a sense of how open your passwords are in Chrome, copy and paste "chrome://settings/passwords" into Chrome and hit "Enter," to see Chrome's page for managing passwords. This window will pop up:

google chrome security

Without entering a master password from Chrome or jumping though any other security loops, you can see the passwords just by clicking "Show." This means that any random Joe you let borrow your computer can memorize your login creditials with a few keystrokes.

It's compelling evidence to never let anyone you don't completely trust use your computer. It should be noted that someone using Chrome can always choose not to save passwords and delete saved passwords in the window above. But most people are unaware of just how accessible their most private information could become if they loan out their laptop for even a minute.

"[Everyday people] don’t know it works like this," Kember wrote on his blog. "They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

It doesn't look like much will change soon. Justin Schuh, head of Chrome security, responded to Kember's blog post by arguing that once a malicious hacker has gained access to your Chrome account, the game is already lost.

"We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works," the Google engineer wrote. "We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior."

Schuh didn't address the issue of someone swiping passwords from a borrowed computer, which would largely be resolved with a master password.

Google declined to comment to HuffPost beyond what Schuh wrote.

Earlier on HuffPost:

Close
9 Best Google Glass Parodies
of
Share
Tweet
Advertisement
Share this
close
Current Slide

Suggest a correction

Around the Web

Google Chrome's Insanely Open Password Security Strategy

"Serious' Google Chrome security flaw offers unrestricted password access

Google Chrome 'Hacked': How Your Passwords Can Be Exposed

 
From Our Partners