Skip to main content

Chrome exposes user passwords in plain-text without additional verification

If you've enabled Google Chrome's 'Offer to save passwords I enter on the web' feature and have saved some or all of your passwords through it, you should remember to sign-out of your Google account in Chrome, especially if you use the browser on a shared computer.

Google's popular Web browser allows you to save your passwords and manage them through a menu in the browser's Settings page. When you click on 'Manage saved passwords' you get a list of your Saved passwords as well as a list of websites where you have instructed the browser to 'never save'. Interestingly, when you click on one of your saved passwords, Google gives you the option to see the password in plain text by clicking on the 'Show' button which is placed along with the listing. It doesn't ask for a confirmation or any additional verification by, say, prompting for your Google account's password.

 It's worth pointing out that this 'vulnerability' - or feature as Google calls it (see below) - has been present in Chrome since its early days.

Once signed in to your Google account on Chrome, the browser pulls all your bookmarks, browsing history and passwords. This means that if you forget to sign out while using Chrome on a shared computer, anyone will be able to access your saved passwords easily. Or someone sitting next to you while you are using the computer can distracting you momentarily. Someone accessing your computer remotely can also see these passwords, if you're not constantly supervising. The intruder can change the password and block access to your service accounts, as well.

Software designer Elliott Kember pointed out the security flaw through a blog post. Interestingly, a Chrome developer told Kember on a discussion thread on Hacker News that the security flaw is in fact a feature of the browser. He said that the main password boundary for the user was the OS user account and there were vulnerabilities that could be exploited if that is breached.
"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get."

We'd recommend not to sign-in to Chrome while using a shared computer, but the best option would be to not save passwords through the browser's default passwords manager. Tools like 1Password and LastPass are better ways of storing passwords, and they need a master password before giving you access to your passwords, offering increased security.

Source - ET

Comments

Popular posts from this blog

Gujarati/Family relations

Gujarati/Family relations - Wikibooks, open books for an open world In Gujarati culture: These are the "titles" for family members. With the exception of Father, Mother, and Grandparents (who are called by the title only), all of these titles are added after the name of the person. Father: Papa or Bapuji Mother: Ba, Mummy or Maa Brother (also male cousins): Bhai (e.g. Haresh Bhai) Brother's Wife: Bhabhi (e.g. Komal Bhabhi) Sister (also female cousins): Ben (e.g. Mayuri Ben) Older Sister: Didi (e.g. Mayuri Didi) Sister's Husband: Banevi or Jijaji (e.g. mahesh Jijaji) Father's Younger Brother: Kaka (e.g. Rajesh Kaka) Father's Younger Brother's Wife: Kaki (e.g. Komal Kaki) Father's Older Brother: Kaka(e.g. Jiten Kaka) Father's Older Brother's Wife: Kaki (e.g. Bhavna Kaki) Father's Oldest Brother: Mota Kaka(e.g. Jiten Kaka) Father's Oldest Brother's Wife: Moti Kaki (e.g. Bhavna Kaki) Father's Sister: Foi,Fui (also ...

How to turn off Xiaomi "Don't cover the orange area" or "Don't cover the earphone area"

If you get the “Don’t cover the orange/earphone area of the screen” message when you turn on your phone’s screen all the time, it means that you’ve turned on the Prevent pocket dial feature and something is blocking the proximity sensor at the top part of your phone. Sometimes it's quite annoying and simple one-time solution is to press volume up & back button at a time to disable. Infact Prevent pocket dial is a good feature that prevents you from rejecting or picking up calls by accident when the phone is in your pocket by using the proximity sensor. If this feature isn’t working properly on your Xiaomi phone, the check whether anything is blocking area next to earphone where proximity sensor is placed. Mostly it caused by screen guard. You should remove it. If you still facing problem then here’s how to turn it off: 1. From your device’s Settings, tap Lock screen & password. 2. Slide the Prevent pocket dials switch to the off position. (Slider will be greye...

Disable Google Chrome extensions auto update

Disabling extension update: Edit preferences json-file for Google Chrome on Windows:  C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Preferences on Ubuntu for Chromium:  ${HOME}/.config/chromium/Default/Preferences In this file find the extension preferences block and set  "update_url"  property like  "http://localhost"  for example. For now according to given url updating of that extension is simply impossible. To locate that preferences block use extension id which you can find at  chrome://extensions/  page with "Developer mode" enabled. In simpler words, open "Preferences" file with wordpad and replace "update_url":"https://clients2.google.com/service/update2/crx" with   "update_url":"https://localhost" source:  https://productforums.google.com/d/msg/chrome/l3zOZeO-5-M/Y7VaR0KCWNIJ Disable all Google Chrome updates: 2.1. Any OS Just type  chrome://p...