Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
Mac Newsforums, a part of the
08-07-2013, 09:55 PM #1
Chrome's Browser Password Storage Policy Under Fire
Google seems to be drawing criticism from several security commentators and tech media observers for what is supposedly a flaw in its Chrome browser. The flaw supposed allows anyone with access to a user’s computer to see all of the user’s passwords. Provided that an individual has access to a user’s device and is already past the operating system’s account password, one can directly view all of the passwords stored for email, social media, and other sites by simply navigating to Chrome’s settings panel.
This specific flaw in the browser’s structure was pointed out by software developer Elliot Kember, who discovered it when importing his bookmarks from Apple’s Safari browser. The Chrome settings panel has a Saved passwords section that display the site name, the username and the password for any site where a user has saved the information. Passwords are initially hidden but by simply selecting the site’s row, a user can make a button appear to show the password for a site. Chrome requires no additional password entry to show site passwords either. To be quite fair here, Mozilla’s Firefox browser operates in the same way, giving the user a dialog box that asks “”Are you sure you want to show your passwords?” without asking for further verification.
On the other hand, Apple’s Safari browser pops up a dialog requiring that a user enter the password for the currently logged in ID on that computer. Without this password, Safari won’t show the password to others. According to Kember, the issue represents a flaw in Chrome’s password storage and therefore in the browser’s security. In a response to the controversy, the tech lead for Chrome’s browser security team said that they found the “boundaries within the OS user account [to protect passwords even when a user is logged in] just aren’t reliable, and are mostly just theater.” The “vulnerability” does require that a snooping user already be logged into another user’s account on a machine. The Chrome team is aware of the password opening and despite the controversy will not adjust this specific aspect of security.
Source: Elliot Kember (blog)
08-07-2013, 11:09 PM #2
as a network administrator, I find this vulnerability offensive!
you should know better than that Google!
08-07-2013, 11:17 PM #3
No device is secure if the user has access to the machine. Admin passwords can be changed easily with the command prompt or terminal.
Last edited by slim.jim; 08-07-2013 at 11:34 PM.
08-08-2013, 10:08 AM #4
If you already have access to the PC then its not a vulnerability as you already have full access so who cares.
I really like this newly found feature. I use multiple browsers so if I forget a password I now know where to look to see what it is.
08-08-2013, 10:52 AM #5
As they mentioned Firefox does the same thing and i always just lock my MacBook anyway and never liked Chrome cause you can't change the cache size. I know a lame excuse but I've seen so much drive activity from using chrome i had to get rid of it.
08-08-2013, 11:28 AM #6