Google under fire for Chrome browser's password storage policy
Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.
Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.
The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.
Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.
Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.
Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:
Provided an individual has access to a user's device and is already past the operating system's account password, one can directly view all of the passwords stored for email, social media, and other sites simply by navigating to Chrome's settings panel. The "flaw" in Chrome's structure was pointed out by software developer Elliott Kember, who discovered it when importing his bookmarks from Apple's Safari browser.
The Chrome settings panel, Kember discovered, has a Saved passwords section that displays the site name, the user name, and the password for any site where a user has saved that information. Passwords are initially hidden, but by simply selecting the site's row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords.
Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.
Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without entering that password, Safari will not show the others.
Kember says the issue represents a flaw in Chrome's password storage, and thus in the browser's security:
Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."Google isn?t clear about its password security.
In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It?s the mass market - the users. The overwhelming majority. They don?t know it works like this. They don?t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
The "vulnerability" does require that a snooping user already be logged into another user's account on a machine. The Chrome team is aware of the password opening, and despite the controversy likely will not adjust that aspect of security.Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
Comments
I'm glad I use only Safari and Firefox.
If it were Apple, this would be on CNN, Fox, and Jon Stewart.
Since this is Google, it's irrelevant. Fanboys and iHaters will simply call this a "feature" and hope everyone forgets about it in a week.
Quote:
Originally Posted by AppleInsider
Google is drawing criticism from security commentators and tech media observers for what is being called a flaw in its Chrome browser that allows anyone with access to a user's computer to see all of that user's passwords.
Mozilla's Firefox browser operates in the same fashion, giving the user a dialog box that asks "Are you sure you want to show your passwords?" without asking for further verification.
Apple's Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer.
Quote:
Originally Posted by drblank
That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.
I'm glad I use only Safari and Firefox.
I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.
Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!
On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.
Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?
Therefore I use Roboform. Have been for 10 years or more and use it daily.
Quote:
Originally Posted by Disturbia
Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!
Sounds like what friends said about RIM.
This is nothing anyways. Chrome is still in beta almost half a decade after launch?
Quote:
Originally Posted by AppleInsider
...Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants…
So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."
Do no evil. Yeah...
Clear your cookies regularly. Browsing history is nowhere near as sensative as passwords (and should also be cleared regularly). A person can not install software (on OSX) without the account password. Game Not Lost!
Just for clarification: this is for the built in password manager right, or is Chrome saving passwords without permission?
As other posters here have commented under similar circumstances, it requires physical access to your computer (or smartphone or tablet as the argument would be) and so they proclaim it's not that big a deal.
In my opinion it's still not acceptable no matter if a malicious person needs your device in front of him or not. It's even an easy enough fix if Google chooses to do so, which I hope they do.
Chrome doesn't save them without permission. It applies to the ones the user has asked Chrome to remember.
The information accessed under the iOS glitch was nowhere near as sensitive as passwords.
Also, when it was discovered Apple didn't make lame excuses, they fixed it.
Thats what I thought, and it's also why I never use these features.
Quote:
Originally Posted by Dickprinter
I hope you didn't miss the paragraph in the article (above in bold) that states Firefox operates in the same way.
I only use Safari.
In fact, I really try to use only Apple HW and SW. This includes Maps, Mail, iPhoto, iCal, Pages, Numbers. They may not be the most powerful, but they're so integrated. It just makes my work much easier!
I avoid all Google, Adobe, and especially, MS HW and SW.
Of course, I do have other Apps on my iDevices and iMac, PDF Shrink, PDFPen, Snap&Drag, 1Password, DropBox, Jumpcut, and SmartReporter.
Originally Posted by AppleInsider
"boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."
Much of computer security is "mostly just theater" anyway. And the show must go on.
Just put up some UI for the user's system password before you display web passwords.
Too busy to do even that much? Or is there some kind of ideological roadblock?
Quote:
Originally Posted by Disturbia
As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.
Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!
On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.
(no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company. Glad I didn't have GOOG.
(great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company. Bought AAPL.
But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?
Quote:
Originally Posted by iaeen
Thats what I thought, and it's also why I never use these features.
Great comment. I never use password store feature either. What's our brain for?
Except that firefox allow you to set a master password, which google security theater chief said is useless (hint, it is not).
But as reported elsewhere, there is an even worse aspect of that that AI did not spoke of :
- If you have a google+ account and you log in one of google services like gmail with chrome, it seems that all your passwords for google services will be saved on that computer.
The first point is a security flaw but not an huge one, the latter is simply not acceptable if true. I refuse google+ so cannot test myself.
Quote:
Originally Posted by ipen
Great comment. I never use password store feature either. What's our brain for?
The problem is the flood of passwords to really do anything online anymore. Using the same ones over and over is a terrible idea.