• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Chrome's Browser Password Storage Policy Under Fire


    Google seems to be drawing criticism from several security commentators and tech media observers for what is supposedly a flaw in its Chrome browser. The flaw supposed allows anyone with access to a user’s computer to see all of the user’s passwords. Provided that an individual has access to a user’s device and is already past the operating system’s account password, one can directly view all of the passwords stored for email, social media, and other sites by simply navigating to Chrome’s settings panel.

    This specific flaw in the browser’s structure was pointed out by software developer Elliot Kember, who discovered it when importing his bookmarks from Apple’s Safari browser. The Chrome settings panel has a Saved passwords section that display the site name, the username and the password for any site where a user has saved the information. Passwords are initially hidden but by simply selecting the site’s row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords either. To be quite fair here, Mozilla’s Firefox browser operates in the same way, giving the user a dialog box that asks “”Are you sure you want to show your passwords?” without asking for further verification.

    On the other hand, Apple’s Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without this password, Safari won’t show the password to others. According to Kember, the issue represents a flaw in Chrome’s password storage and therefore in the browser’s security. In a response to the controversy, the tech lead for Chrome’s browser security team said that they found the “boundaries within the OS user account [to protect passwords even when a user is logged in] just aren’t reliable, and are mostly just theater.” The “vulnerability” does require that a snooping user already be logged into another user’s account on a machine. The Chrome team is aware of the password opening and despite the controversy will not adjust this specific aspect of security.

    Source: Elliot Kember (blog)
    This article was originally published in forum thread: Chrome's Browser Password Storage Policy Under Fire started by Akshay Masand View original post
    Comments 5 Comments
    1. EVO's Avatar
      EVO -
      as a network administrator, I find this vulnerability offensive!

      you should know better than that Google!
    1. slim.jim's Avatar
      slim.jim -
      No device is secure if the user has access to the machine. Admin passwords can be changed easily with the command prompt or terminal.
    1. smith01's Avatar
      smith01 -
      If you already have access to the PC then its not a vulnerability as you already have full access so who cares.
      I really like this newly found feature. I use multiple browsers so if I forget a password I now know where to look to see what it is.
    1. LrdBane's Avatar
      LrdBane -
      As they mentioned Firefox does the same thing and i always just lock my MacBook anyway and never liked Chrome cause you can't change the cache size. I know a lame excuse but I've seen so much drive activity from using chrome i had to get rid of it.
    1. slim.jim's Avatar
      slim.jim -
      Quote Originally Posted by LrdBane View Post
      As they mentioned Firefox does the same thing and i always just lock my MacBook anyway and never liked Chrome cause you can't change the cache size. I know a lame excuse but I've seen so much drive activity from using chrome i had to get rid of it.
      I ditched Firefox because with a few pinned tabs (4) it was taking over a minute to load them before I could do anything. Chrome starts up in a few seconds with the same tabs pinned.