A software developer has discovered a critical security flaw in the highly popular Google Chrome browser that could put the privacy of potentially millions of users at risk.
Chrome is among the most widely used browsers on the Web, but
security researchers are now warning that it’s far from safe.
Developer Elliot Kember from New Zealand discovered that anyone
with physical access to a computer running Chrome can see any
password stored in the browser without having to bypass a single
security barrier.
When Chrome users type in a password – say, when checking their
email or logging onto Twitter – the browser provides an option
where that keyphrase can be remembered for future use. That
master list of log-ins isn’t protected itself, however, meaning
anyone with access to someone else’s computer can quickly pull up
a list of plain-text passwords and essentially have unfettered
access to an array of accounts.
To try it yourself, navigate to chrome://settings/passwords in
Google’s browser and see if a password is needed to see what’s
stored (hint: it’s not).
On his blog, Kember says Chrone is employing an “insane
password security strategy.” Sir Tim Berners-Lee, the
inventor of the World Wide Web, tweeted that the exploit allows
anyone “to get all you big sister’s passwords.”
Of course, any security feature should be considered compromised
once a computer is physically handed off to someone else. Given
Google’s incessant touting of its seemingly secure browser,
though, Kember said he’d expect the company to offer something a
bit better.
“In a world where Google promotes its browser on YouTube, in
cinema pre-rolls, and on billboards, the clear audience is not
developers. It’s the mass market — the users. The overwhelming
majority. They don’t know it works like this. They don’t expect
it to be it’s this easy to see their passwords. Every day,
millions of normal, every-day users are saving their passwords in
Chrome. This is not okay,” Kember says.
What’s more, though, is that one of Google’s developers has since
weighed in on the exploit and said there are no plans to roll out
a solution in the next Chrome release.
“We’ve also been repeatedly asked why we don’t just support a
master password or something similar, even if we don’t believe it
works,” Chrome’s Justin Schuh wrote on Hacker News. “We’ve
debated it over and over again, but the conclusion we always come
to is that we don’t want to provide users with a false sense of
security, and encourage risky behavior. We want to be very clear
that when you grant someone access to your OS user account, that
they can get at everything.”
Similar exploits have been discovered previously in competing
browsers like Mozilla’s FireFox and Microsoft’s Internet
Explorer, but developers with those companies made changes to
patch up problematic security holes. Given Google’s blatant
disregard for developing a solution, though, Berners-Lee called
the company’s handling of the issue “disappointing.”
Republished from: RT