or Connect
AppleInsider › Forums › General › General Discussion › Google under fire for Chrome browser's password storage policy
New Posts  All Forums:Forum Nav:

Google under fire for Chrome browser's password storage policy

post #1 of 79
Thread Starter 
Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.



Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.

The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.

Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.

Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.

Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:

Google isn?t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It?s the mass market - the users. The overwhelming majority. They don?t know it works like this. They don?t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.



Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.



The "vulnerability" does require that a snooping user already be logged into another user's account on a machine. The Chrome team is aware of the password opening, and despite the controversy likely will not adjust that aspect of security.
post #2 of 79
That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.

I'm glad I use only Safari and Firefox.
post #3 of 79

If it were Apple, this would be on CNN, Fox, and Jon Stewart.

Since this is Google, it's irrelevant.  Fanboys and iHaters will simply call this a "feature" and hope everyone forgets about it in a week.

post #4 of 79
Quote:
Originally Posted by AppleInsider View Post

Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.

Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.

Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer.

 

 

Quote:
Originally Posted by drblank View Post

That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.

I'm glad I use only Safari and Firefox.

 

I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

Why does Apple bashing and trolling make people feel so good?

Reply

Why does Apple bashing and trolling make people feel so good?

Reply
post #5 of 79
As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.

Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply
post #6 of 79
Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

Author of The Fuel Injection Bible

Reply

Author of The Fuel Injection Bible

Reply
post #7 of 79

Therefore I use Roboform.  Have been for 10 years or more and use it daily.
 

post #8 of 79
Quote:
Originally Posted by Disturbia View Post

Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

 

Sounds like what friends said about RIM.

 

This is nothing anyways.  Chrome is still in beta almost half a decade after launch?

post #9 of 79
Quote:

Originally Posted by AppleInsider View Post
 

...Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants

 

 

So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."

 

Do no evil. Yeah...

post #10 of 79
Quote:
Originally Posted by AppleInsider View Post

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.


Clear your cookies regularly. Browsing history is nowhere near as sensative as passwords (and should also be cleared regularly). A person can not install software (on OSX) without the account password. Game Not Lost!

Just for clarification: this is for the built in password manager right, or is Chrome saving passwords without permission?
post #11 of 79
Quote:
Originally Posted by Damn_Its_Hot View Post

So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."

Do no evil. Yeah...

As other posters here have commented under similar circumstances, it requires physical access to your computer (or smartphone or tablet as the argument would be) and so they proclaim it's not that big a deal.

In my opinion it's still not acceptable no matter if a malicious person needs your device in front of him or not. It's even an easy enough fix if Google chooses to do so, which I hope they do.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #12 of 79
Quote:
Originally Posted by iaeen View Post

Clear your cookies regularly. Browsing history is nowhere near as sensative as passwords (and should also be cleared regularly). A person can not install software (on OSX) without the account password. Game Not Lost!

Just for clarification: this is for the built in password manager right, or is Chrome saving passwords without permission?

Chrome doesn't save them without permission. It applies to the ones the user has asked Chrome to remember.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #13 of 79
Quote:
Originally Posted by EricTheHalfBee View Post

Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

The information accessed under the iOS glitch was nowhere near as sensitive as passwords.

Also, when it was discovered Apple didn't make lame excuses, they fixed it.
post #14 of 79
Quote:
Originally Posted by Gatorguy View Post

Chrome doesn't save them without permission. It applies to the ones the user has asked Chrome to remember.

Thats what I thought, and it's also why I never use these features.
post #15 of 79
Quote:
Originally Posted by Dickprinter View Post

 

 

 

I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

I only use Safari.

 

In fact, I really try to use only Apple HW and SW. This includes Maps, Mail, iPhoto, iCal, Pages, Numbers. They may not be the most powerful, but they're so integrated. It just makes my work much easier! :)

 

I avoid all Google, Adobe, and especially, MS HW and SW.

 

Of course, I do have other Apps on my iDevices and iMac, PDF Shrink, PDFPen, Snap&Drag, 1Password, DropBox, Jumpcut, and SmartReporter.  

post #16 of 79
I guess it's nice to be able to view your passwords if you need to, for whatever reason. But at a bare minimum that "feature" needs to be password protected. Pretty bad oversight by Google imo.
post #17 of 79
Originally Posted by AppleInsider View Post

"boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

 

Much of computer security is "mostly just theater" anyway.  And the show must go on.

Just put up some UI for the user's system password before you display web passwords.

Too busy to do even that much?  Or is there some kind of ideological roadblock?

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #18 of 79
Quote:
Originally Posted by Disturbia View Post

As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.

Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.

 

(no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company.  Glad I didn't have GOOG.

(great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company.  Bought AAPL.

 

But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?

post #19 of 79
Quote:
Originally Posted by iaeen View Post


Thats what I thought, and it's also why I never use these features.

 

Great comment.  I never use password store feature either.  What's our brain for?

post #20 of 79
Quote:
Originally Posted by Dickprinter View Post



I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

Except that firefox allow you to set a master password, which google security theater chief said is useless (hint, it is not).

But as reported elsewhere, there is an even worse aspect of that that AI did not spoke of :

- If you have a google+ account and you log in one of google services like gmail with chrome, it seems that all your passwords for google services will be saved on that computer.

The first point is a security flaw but not an huge one, the latter is simply not acceptable if true. I refuse google+ so cannot test myself.
post #21 of 79
Quote:
Originally Posted by ipen View Post

 

Great comment.  I never use password store feature either.  What's our brain for?

 

The problem is the flood of passwords to really do anything online anymore.  Using the same ones over and over is a terrible idea.

post #22 of 79
Quote:
Originally Posted by EricTheHalfBee View Post

Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

Big difference.  Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well.  Google doesn't seem to think this is a problem.  That is a problem in and of itself.  

post #23 of 79
So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."

That's like not locking your door because someone could throw a brick through the window if they really wanted in.
post #24 of 79

Do you suppose folks at Google routinely keep a Post-It stuck to their monitors labeled "Secret - Please Don't peek" that has all of their passwords written on the back?

Why would you want to tempt anyone around you that may be a bit ethically challenged?

I doubt they leave their wallet on their desk either. 

post #25 of 79

I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.

 

I'm sure Google will fix this flaw next update.

 

That is what security researchers do. They find flaws and then they get fixed.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #26 of 79
Oh no! i hope my wife doesnt find the password for our joint checking account!

More click bait for the frothing google haters.
post #27 of 79
To paraphrase Creepy Eric: if you don't want your passwords viewable, just move to another browser.
post #28 of 79
Quote:
Originally Posted by Disturbia View Post

As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.

Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.

I probably speak for many when I say:

"Huh?"
post #29 of 79
Quote:
Originally Posted by mstone View Post

I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.

 

I'm sure Google will fix this flaw next update.

 

That is what security researchers do. They find flaws and then they get fixed.

Except they said it's not a flaw and why bother.

post #30 of 79
Quote:
Originally Posted by EricTheHalfBee View Post

Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
post #31 of 79
Quote:
Originally Posted by jungmark View Post

To paraphrase Creepy Eric: if you don't want your passwords viewable, just move to another browser.

Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
post #32 of 79
Quote:
Originally Posted by patrickwalker View Post

The problem is the flood of passwords to really do anything online anymore.  Using the same ones over and over is a terrible idea.

Yes, But one should use a dedicated app from a well known company that is in the business of selling secure products, not some built in afterthought feature intended to add convenience for people who don't know any better.
Quote:
Originally Posted by genovelle View Post

Big difference.  Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well.  Google doesn't seem to think this is a problem.  That is a problem in and of itself.  

This. I didn't really think it was that big of a deal until I read Google's response. The guy deserves to be flogged for releasing such an asinine comment as Google's official response.
post #33 of 79
Quote:
Originally Posted by SockRolid View Post

 

Much of computer security is "mostly just theater" anyway.  And the show must go on.

Just put up some UI for the user's system password before you display web passwords.

Too busy to do even that much?  Or is there some kind of ideological roadblock?

 

The ideological roadblock is there because YOU are not Google's customer... You are its product. Never lose sight of this distinction.

post #34 of 79
Quote:
Originally Posted by PhilBoogie View Post


Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"

What? Like accessing your banking information from your computer? Get a brain! 

post #35 of 79
Quote:
Originally Posted by Macky the Macky View Post

What? Like accessing your banking information from your computer? Get a brain! 

Um he was quoting creepy Eric as well.
post #36 of 79

Edited by GTR - 8/7/13 at 2:06pm
If you're going to be original, then you can count on being copied.
Reply
If you're going to be original, then you can count on being copied.
Reply
post #37 of 79
Quote:
Originally Posted by Macky the Macky View Post

Quote:
Originally Posted by PhilBoogie View Post

Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
What? Like accessing your banking information from your computer? Get a brain! 

Me, or Eric?

[edit] pipped by jungmark
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
post #38 of 79
Quote:
Originally Posted by EricTheHalfBee View Post

Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

 

In many cases, physical access means "game over" as far as security is concerned. 

 

Quote:
Originally Posted by Damn_Its_Hot View Post

 

So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."

 

Do no evil. Yeah...

 

Did Google screw up? Sure, no question about that. But I wonder what the real answer is. Safari does present a password dialog when you ask it to show passwords, but I would wager that people's Admin passwords are no more secure that whatever they're typing into a form on some website. It's made to be easy because people have so many passwords that they forget which account is for which site. "Normal" people (e.g, my parents) don't use things like 1Password or understand why they need it.

 

This isn't surprising, but I'm not sure how we move towards a situation where we're all using secure passwords. The idea of a Master Password isn't too bad, but you're (obviously) screwed if it gets out.

post #39 of 79
Quote:
Originally Posted by Damn_Its_Hot View Post

 

So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."

 

Do no evil. Yeah...

 

I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. But that extra security comes with a trade-off in usability. 

post #40 of 79
Getting old now, but..

"I once set my password to 'penis', but it was too short."
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
"See her this weekend. You hit it off, come Turkey Day, maybe you can stuff her."
- Roger Sterling
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Google under fire for Chrome browser's password storage policy