If you've enabled Google Chrome's 'Offer to save passwords I enter on the web' feature and have saved some or all of your passwords through it, you should remember to sign-out of your Google account in Chrome, especially if you use the browser on a shared computer.
Google's popular Web browser allows you to save your passwords and manage them through a menu in the browser's Settings page. When you click on 'Manage saved passwords' you get a list of your Saved passwords as well as a list of websites where you have instructed the browser to 'never save'. Interestingly, when you click on one of your saved passwords, Google gives you the option to see the password in plain text by clicking on the 'Show' button which is placed along with the listing. It doesn't ask for a confirmation or any additional verification by, say, prompting for your Google account's password.
It's worth pointing out that this 'vulnerability' - or feature as Google calls it (see below) - has been present in Chrome since its early days.
Once signed in to your Google account on Chrome, the browser pulls all your bookmarks, browsing history and passwords. This means that if you forget to sign out while using Chrome on a shared computer, anyone will be able to access your saved passwords easily. Or someone sitting next to you while you are using the computer can distracting you momentarily. Someone accessing your computer remotely can also see these passwords, if you're not constantly supervising. The intruder can change the password and block access to your service accounts, as well.
Software designer Elliott Kember
pointed out the security flaw through a blog post. Interestingly, a Chrome developer told Kember on a
discussion thread on Hacker News that the security flaw is in fact a feature of the browser. He said that the main password boundary for the user was the OS user account and there were vulnerabilities that could be exploited if that is breached.
"The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get."
We'd recommend not to sign-in to Chrome while using a shared computer, but the best option would be to not save passwords through the browser's default passwords manager. Tools like
1Password and
LastPass are better ways of storing passwords, and they need a master password before giving you access to your passwords, offering increased security.
Update - Editor's Note: As our readers have pointed out via the comments, Firefox also lets anyone with access to the PC view the passwords by default. However, the reason Firefox was not mentioned - but perhaps should have been as a comparison - is that it lets you set a master password to prevent this from happening.
Further, yes, this is not a new discovery about Chrome and has been around since its initial days - as mentioned in the story. It's great that so many of our readers are aware of this behaviour, but it's still worth highlighting for the large percentage who aren't.