Chrome's Browser Password Storage Policy Under Fire
Google seems to be drawing criticism from several security commentators and tech media observers for what is supposedly a flaw in its Chrome browser. The flaw supposed allows anyone with access to a user’s computer to see all of the user’s passwords. Provided that an individual has access to a user’s device and is already past the operating system’s account password, one can directly view all of the passwords stored for email, social media, and other sites by simply navigating to Chrome’s settings panel.
This specific flaw in the browser’s structure was pointed out by software developer Elliot Kember, who discovered it when importing his bookmarks from Apple’s Safari browser. The Chrome settings panel has a Saved passwords section that display the site name, the username and the password for any site where a user has saved the information. Passwords are initially hidden but by simply selecting the site’s row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords either. To be quite fair here, Mozilla’s Firefox browser operates in the same way, giving the user a dialog box that asks “”Are you sure you want to show your passwords?” without asking for further verification.
On the other hand, Apple’s Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without this password, Safari won’t show the password to others. According to Kember, the issue represents a flaw in Chrome’s password storage and therefore in the browser’s security. In a response to the controversy, the tech lead for Chrome’s browser security team said that they found the “boundaries within the OS user account [to protect passwords even when a user is logged in] just aren’t reliable, and are mostly just theater.” The “vulnerability” does require that a snooping user already be logged into another user’s account on a machine. The Chrome team is aware of the password opening and despite the controversy will not adjust this specific aspect of security.
Source: Elliot Kember