Google under fire for Chrome browser's password storage policy

Posted:
in General Discussion edited January 2014
Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.



Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.

The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.

Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.

Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.

Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:
Google isn?t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It?s the mass market - the users. The overwhelming majority. They don?t know it works like this. They don?t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
The "vulnerability" does require that a snooping user already be logged into another user's account on a machine. The Chrome team is aware of the password opening, and despite the controversy likely will not adjust that aspect of security.
«134

Comments

  • Reply 1 of 79
    drblankdrblank Posts: 3,383member
    That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.

    I'm glad I use only Safari and Firefox.
  • Reply 2 of 79
    sflocalsflocal Posts: 4,095member


    If it were Apple, this would be on CNN, Fox, and Jon Stewart.



    Since this is Google, it's irrelevant.  Fanboys and iHaters will simply call this a "feature" and hope everyone forgets about it in a week.

  • Reply 3 of 79
    dickprinterdickprinter Posts: 1,060member

    Quote:

    Originally Posted by AppleInsider View Post



    Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.



    Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.



    Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer.


     


     


    Quote:

    Originally Posted by drblank View Post



    That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.



    I'm glad I use only Safari and Firefox.


     


    I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

  • Reply 4 of 79
    As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.

    Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

    On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.
  • Reply 5 of 79
    Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

    Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
  • Reply 6 of 79
    icoco3icoco3 Posts: 1,428member


    Therefore I use Roboform.  Have been for 10 years or more and use it daily.

     

  • Reply 7 of 79

    Quote:

    Originally Posted by Disturbia View Post



    Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!


     


    Sounds like what friends said about RIM.


     


    This is nothing anyways.  Chrome is still in beta almost half a decade after launch?

  • Reply 8 of 79
    damn_its_hotdamn_its_hot Posts: 1,173member

    Quote:


    Originally Posted by AppleInsider View Post

     


    ...Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants


     


     


    So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."


     


    Do no evil. Yeah...

  • Reply 9 of 79
    iaeeniaeen Posts: 588member
    <blockquote>Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

    Clear your cookies regularly. Browsing history is nowhere near as sensative as passwords (and should also be cleared regularly). A person can not install software (on OSX) without the account password. Game Not Lost!

    Just for clarification: this is for the built in password manager right, or is Chrome saving passwords without permission?
  • Reply 10 of 79
    gatorguygatorguy Posts: 18,603member
    So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."

    Do no evil. Yeah...

    As other posters here have commented under similar circumstances, it requires physical access to your computer (or smartphone or tablet as the argument would be) and so they proclaim it's not that big a deal.

    In my opinion it's still not acceptable no matter if a malicious person needs your device in front of him or not. It's even an easy enough fix if Google chooses to do so, which I hope they do.
  • Reply 11 of 79
    gatorguygatorguy Posts: 18,603member
    iaeen wrote: »
    Clear your cookies regularly. Browsing history is nowhere near as sensative as passwords (and should also be cleared regularly). A person can not install software (on OSX) without the account password. Game Not Lost!

    Just for clarification: this is for the built in password manager right, or is Chrome saving passwords without permission?

    Chrome doesn't save them without permission. It applies to the ones the user has asked Chrome to remember.
  • Reply 12 of 79
    iaeeniaeen Posts: 588member
    Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

    Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

    The information accessed under the iOS glitch was nowhere near as sensitive as passwords.

    Also, when it was discovered Apple didn't make lame excuses, they fixed it.
  • Reply 13 of 79
    iaeeniaeen Posts: 588member
    gatorguy wrote: »
    Chrome doesn't save them without permission. It applies to the ones the user has asked Chrome to remember.

    Thats what I thought, and it's also why I never use these features.
  • Reply 14 of 79

    Quote:

    Originally Posted by Dickprinter View Post


     


     


     


    I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.



    I only use Safari.


     


    In fact, I really try to use only Apple HW and SW. This includes Maps, Mail, iPhoto, iCal, Pages, Numbers. They may not be the most powerful, but they're so integrated. It just makes my work much easier! :)


     


    I avoid all Google, Adobe, and especially, MS HW and SW.


     


    Of course, I do have other Apps on my iDevices and iMac, PDF Shrink, PDFPen, Snap&Drag, 1Password, DropBox, Jumpcut, and SmartReporter.  

  • Reply 15 of 79
    I guess it's nice to be able to view your passwords if you need to, for whatever reason. But at a bare minimum that "feature" needs to be password protected. Pretty bad oversight by Google imo.
  • Reply 16 of 79
    sockrolidsockrolid Posts: 2,788member


    Originally Posted by AppleInsider View Post



    "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."


     


    Much of computer security is "mostly just theater" anyway.  And the show must go on.


    Just put up some UI for the user's system password before you display web passwords.


    Too busy to do even that much?  Or is there some kind of ideological roadblock?

  • Reply 17 of 79
    ipenipen Posts: 410member

    Quote:

    Originally Posted by Disturbia View Post



    As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.



    Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!



    On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.


     


    (no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company.  Glad I didn't have GOOG.


    (great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company.  Bought AAPL.


     


    But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?

  • Reply 18 of 79
    ipenipen Posts: 410member

    Quote:

    Originally Posted by iaeen View Post





    Thats what I thought, and it's also why I never use these features.


     


    Great comment.  I never use password store feature either.  What's our brain for?

  • Reply 19 of 79


    I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.

    Except that firefox allow you to set a master password, which google security theater chief said is useless (hint, it is not).

    But as reported elsewhere, there is an even worse aspect of that that AI did not spoke of :

    - If you have a google+ account and you log in one of google services like gmail with chrome, it seems that all your passwords for google services will be saved on that computer.

    The first point is a security flaw but not an huge one, the latter is simply not acceptable if true. I refuse google+ so cannot test myself.
  • Reply 20 of 79

    Quote:

    Originally Posted by ipen View Post


     


    Great comment.  I never use password store feature either.  What's our brain for?



     


    The problem is the flood of passwords to really do anything online anymore.  Using the same ones over and over is a terrible idea.

Sign In or Register to comment.