UK programmer Elliott Kember has raised a concerning issue on his blog this week. Web browsers Google Chrome and Mozilla Firefox can reveal saved logged in user passwords in just a few clicks. According to The Register there is now a debate over whether this is a ‘common feature’ or glaring security issue.
If the user is working in Chrome, you can key in chrome://settings/passwords – then click on a starred out saved website password and click on ‘show’. If you work in an office environment you can theoretically get the passwords of anyone in the office without much effort.
Kember said that it was a ‘silly feature’ that needs fixing. “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know [Chrome] works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not OK.Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.”
Kember says that protecting these saved passwords with a main password would be a good move, protecting all saved details.
Chrome’s team lead Justin Schuh said that if someone has direct and physical access to the computer then there is no point even trying to protect those passwords as anything can be broken with the machine in hand. He said “I appreciate how this appears to a novice, but we’ve literally spent years evaluating it and have quite a bit of data to inform our position. And while you’re certainly well intentioned, what you’re proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behaviour. That’s just not how we approach security on Chrome.”
The Register add that Firefox is also vulnerable. Open preferences, hit the ‘Saved Passwords’ button in the security tab and then press ‘show passwords’. That said, a master password can be set up in Firefox to protect credentials. Opera follows the same structure of a ‘master’ password.
Kitguru says: Is this an important issue? or should you realistically never let anyone use your computer without supervision anyway?