This Is Not OK': How Google Chrome Can Reveal Your Passwords

You've gone to great lengths to establish quality passwords and keep them secure, but recent news that using Google Chrome could expose these passwords to anyone -- anyone who has access to your computer, that is -- is causing quite a stir in the security realm. Google has responded by defending its policy that allows this to happen.

Software developer Elliott Kember called out the issue on his blog Tuesday, saying he noticed on his Chrome settings a "saved passwords" feature that was checkmarked and greyed out so he wouldn't have the option to not import passwords saved on another browser.

How Kember was first alerted that Google was saving his passwords in a way that anyone else who accessed his computer could see their exact text. (Image: ElliottKember.com)

As Kember puts it, "This is the illusion of choice."

Kember tracked down what had been saved of his passwords. At first he found the usual series of dots representing the characters of the password, but clicking the "show" button revealed the exact text.

Kember used this as an example to show how passwords can be revealed to someone who accessed a Chrome user's settings. (Image: ElliottKember.com)

"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this," Kember wrote. "They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

Google's Chrome security tech lead, Justin Schuh, responded to Kember's complaint, as it quickly started to spread, causing concern. Schuh wrote on Hacker News that this was all done for a reason:

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

Wired wrote in light of Google's response that from a security architect's perspective, "the company is completely right." But it also acknowledges the other perspective that says putting up even "the flimsiest obstacle" could help make these passwords be a bit more secure.

"Google’s all-or-nothing security perspective is natural for a company that routinely confronts serious, state-sponsored attackers. But in day-to-day life, most Chrome users have to worry about what security geeks call the 'unskilled attacker.' That’s the jealous boyfriend who might, if it’s easy enough, cage your Facebook password to check up on you later. It’s your teenaged son looking for your porn passwords. It's the dude at the coffee shop who’s left alone with your laptop for a moment while you pick up your mocha," Wired's Kevin Poulsen wrote.

With this in mind, Poulsen wrote that putting up a barrier before the Chrome Password Manager can't hurt.

That said, until this happens (if it even does), you could stop saving passwords when asked if you'd like to do so while using Chrome. You can stop this prompt from even popping up by going to your Chrome "Advanced Settings" "Passwords and Forms" section and unchecking "Offer to save passwords," PC World pointed out. To delete what is already saved, head into "Manage saved passwords."

To reiterate, this vulnerability occurs when someone has access to your Google Chrome browser. So you can also prevent this by keeping tabs on your computer around the house and in public and also disconnecting your Google account (a function also found in Chrome settings) if you were to lend someone your computer.

--

[related]