Google Slammed Over ‘Insane’ Chrome Password Exposure

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tim Berners-Lee disappointed by Google’s response to criticism of Chrome’s stored passwords

Google has been criticised for making it easy to access someone’s stored passwords if the attacker can get on to a target’s Chrome browser.

The problem is a simple yet controversial one: Google does not protect passwords from being viewed when a user is logged in and running Chrome. It means anyone can walk up to a machine and grab stored passwords from Chrome.

The tech titan believes this is the best way forward for usability and security.

Squabbling over passwords

To view stored passwords, a user simply has to go to the advanced settings page, then click on the “Passwords and forms” option, followed by “Manage saved passwords”.

Password hackAlternatively, they could just use the URL chrome://settings/passwords. Clicking on the list of obscured passwords reveals what they are.

There is no option to add security around stored passwords, not even the option to add an extra password to access them.

“Google isn’t clear about its password security,” said developer Elliott Kember, who blogged about the issue. In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority.

“They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”

Head of Google’s Chrome developer team, Justin Schuh, said Kember’s assessment was wrong, suggesting that Google would be giving a false sense of security if they changed the model.

“You think your passwords are protected somehow in other applications, but they’re simply not. The fact is that they’re still trivially recoverable, and if the bad guy can read them at all than he already has access to fully compromise your entire OS user account,” he added.

“So, you’re arguing that we take measures to make users think they’re safe when they’ve already surrendered any pretense of security. Effectively, you’re asking that we lull our users into a false sense of security.”

Others also disagreed with Kember, noting that users who want protection can use password management tools like 1Pass that allow for a single login to access credentials for different websites. Normal users would not want a similar tool forced on them, they argued.

Many have  taken Schuh to task, however, agreeing Google should be more upfront with its customers. Tim Berners-Lee even tweeted that the reply from the Chrome team was “disappointing”.

Others noted that whilst serious hackers don’t need to spend their time looking for open computers to steal valuable credentials, anyone who wants to snoop on co-workers or family members could easily do so by grabbing passwords from Chrome.

Security expert Graham Cluley noted Firefox, one of Chrome’s chief rivals, gave the option of adding a password to protect stored credentials. “It’s hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques,” he added.

What do you know about Internet security? Find out with our quiz!