Google leaves Chrome users at peril
Password security is one of the key factors that all Internet users wish safeguarded. New reports now suggest that Google Chrome comes with a loophole that makes accessing the same an easy affair. Web designer Elliot Kember, in a blogpost, has now questioned Google’s security measures with a simple demonstration that showed how a single URL gives another user physical access to your machine and all stored credentials. This includes passwords to all synced accounts, including Facebook and Twitter.
Google’s browser is designed to ask users if they would like to store their account passwords that are being entered online. The process has been installed to make it easier for users to have quick access to websites. If that option is chosen, Chrome saves a list of credentials in its settings, which can be switched to show all the stored passwords in clear text directly on the screen.
And this tool has reportedly been around for many years. In the blog post, Kember has pointed out that all users need to do is visit chrome://settings/passwords in the browser. Once visited, all Chrome user passwords can easily be accessed with just one click of the mouse button, as opposed to three clicks using the settings UI.
Google is leaving Chrome users hanging due to unsecured saved password access
In response to the blogpost, Justin Schuh, Google’s head of Chrome Security, has clarified why Google doesn’t secure stored passwords. While talking about this on Y Combinator, the Chrome Security head said that it does not want “to provide users with a false sense of security and encourage risky behavior.”
The rationale being provided here is that if a would-be attacker has access to a user’s machine then “the game was lost.” This was because there would be “too many vectors for [the attacker] to get what he wants.” This rationale does not take into account families who may share the same computer, who are not aware of how easy it is for someone to access their login details. The arguement is that if an attacker has access to the computer, he can easily see more than just browser data. However, it does not address the fact the Chrome provides a centralised window that gives an easy method to search for passwords. Armed with this, an attacker can locate, copy and use a Facebook and Twitter password in a matter of seconds.
Another question raised by Kember’s blogpost revolves around why Google has not been more public about its security decisions in the past. Put simply, if the company believes that operating system locks are a better way to protect a computer, why did it not roll out adequate warning for its users regarding the same?
Other browsers also let users check their passwords, but throw in additional security measures to protect them. Mozilla put a recommendation for all Firefox users who share a public computer to set up a master password. The master password will not be displayed by default when searching for passwords. Both Safari and Internet Explorer browsers task the user with authenticating themselves by using a system password. Chrome does not make use of any of these additional security measures.
Schuh, while explaining the company’s stance, has said that Google has “literally spent years” evaluating its security measures, giving it “quite a bit of data to inform our position.” Putting the ambiguity of Chrome’s security aside, it should be noted that Google’s browser now has a huge number of users employing its services. And many of its users are unaware that their passwords are easily accessible. Furthermore, there doesn’t seem to by any additional security measures that Chrome users can employ to secure their PC or Mac to stop someone from gaining access to their computer. It remains to be seen if Google will roll out additional security measures soon to address this problem.