OFFICIAL SECURITY BLOG
August 7, 2013 | BY Armando Orozco
An oddity in Google’s Chrome allows you to reveal stored passwords saved by the popular browser.
Software developer Elliot Kember came across this while importing his Safari browser settings and thought he’d share. His blog points out how our stored passwords are readily available in Chrome.
We’ve all seen the option in our favorite browser that offers to save our passwords—fair enough. Chrome takes it a step further and gives you the ability to see those stored passwords.
In Chrome’s Password manager, chrome://settings/passwords, you are presented with any saved passwords, from there you can select the account and click the “Show” button to reveal the password.
This isn’t a huge security hole but really a privacy issue if you use Chrome. The feature hasn’t be targeted by malware authors but could leave you exposed if someone with prying eyes has access to your PC.
Google seems confident in the feature and that it is not a security issue.
“The only strong permission boundary for your password storage is the OS user account,” Justin Schuh, a Security Tech Lead for Chrome, said. “So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account.”
He has a good point, sometimes all bets are off when a bad guy gets access to your PC—although you can make the job difficult by not having passwords easily accessible. If you want to clear out any stored passwords in Chrome you can remove in its Advanced settings under “Passwords and Forms.” Access by going to Chrome’s menu -> Settings.
Firefox also has this feature and is accessible through the Firefox menu then Options -> Options -> Security -> Saved Passwords. Firefox does prompt when accessing “Save Passwords” but reveals them just the same. So this is not strictly a Chrome thing.
If you do like to use password store features don’t use on a “community” PC or leave your PC unlocked when away. We’ve covered password security in past blogs, our Josh Cannell covered them recently and also Neil Rubenking, a journalist for PC Mag, covered this Chrome feature and offered some tips on using third party password managers.
It’s interesting how long this has gone under the radar by the media and security industry, though it’s not necessarily a security exploit, it does bring up the password issue again. Please stay secure and be aware of where and when you’re storing your passwords.