It seems like almost every website you visit has a login of some sort. Managing and remembering them is virtually impossible, so for convenience the major Web browsers offer a feature that saves your passwords. But software developer has discovered that it’s a bad idea to trust this sensitive information to your browser—especially if your business uses Google Chrome.
Elliot Kember wrote a blog post about the critical flaw in Chrome password security. He had decided to switch from Safari to Chrome and wanted to import his Safari bookmarks so he’d have access to all of the same sites and content between the two browsers. He was alarmed to find that one of the “options” under “Import bookmarks and settings” is to import saved passwords. However, the option is grayed out and automatically checked, meaning it’s mandatory and there’s no choice to not import saved passwords.
Aside from the irony of having a checkbox for something that is clearly not optional, the import setting set off some red flags for Kember. Chrome does not provide any protection for the passwords it stores—there is no master password that locks access to managing the saved passwords. The passwords are stored in plain-text, and can be exposed by simply clicking the “show” button next to the password field.
Kember writes in his post, “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market—the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”
To read this article in full or to leave a comment, please click here