Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.
The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.
Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.
Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.
Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:
Google isn?t clear about its password security.
In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It?s the mass market - the users. The overwhelming majority. They don?t know it works like this. They don?t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
The "vulnerability" does require that a snooping user already be logged into another user's account on a machine. The Chrome team is aware of the password opening, and despite the controversy likely will not adjust that aspect of security.