Google Chrome passwords are stored in cleartext, a function that Google dismisses as a flaw.
Software developer Elliott Kember discovered that all saved passwords can be displayed in plain text in the Chrome settings panel.
“There's no master password, no security, not even a prompt that ‘these passwords are visible,'” Kember said.
Google said passwords were encrypted on Google servers while Chrome browser security lead Justin Schuh said any attacker who gained access to an account could dump all session cookies, grab history, install monitoring software or install malicious extensions to intercept browsing activity.
His point was that “once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”
Popular web browser Firefox offers a master password feature but Schuh's said that provided users with a false sense of security and encouraged risky behaviour.
“There's a big disconnect between what people ‘should' do, and what people ‘actually' do," Kember said.
"For instance, supposedly you're supposed to switch user accounts on a computer whenever someone else uses it. But in the real world, people borrow their friends' computers all the time.”
A forum user, signing off as hobbes300, responded to Schuh's post, saying, "Your logic doesn't follow...Don't forget, all security, regardless of how good it is, is just a delay mechanism. It's perfectly valid to delay the easy attacks as well as the hard ones."
_(20).jpg&h=140&w=231&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
