Google is storing the saved passwords of Chrome users in plain text, allowing them to be easily viewed by anyone with access to the user’s computer.
The internet browser has been storing passwords in such a way since it was released in 2008. By going to chrome://settings/passwords, anyone using the computer is shown a list of saved passwords, and with one click, can choose to “show” the password in plain text.
Google’s end user agreement states the user “expressly understands and agrees that Google, its subsidiaries and affiliates, and its licensors shall not be liable to you for .. your failure to keep your password or account details secure and confidential”.
Google is not the only browser maker storing passwords in such a way. Mozilla’s Firefox offers a similar route to access saved passwords.
By clicking on the ‘Firefox’ tab on the top left of the browser, selecting ‘Options’, then ‘Options’ again, clicking the ‘Security’ tab, then the ‘Saved Passwords’ button, users are then shown a box with saved passwords.
Hitting the ‘Show Passwords’ button will ask the user if they are sure they want to show the passwords; selecting ‘yes’ will reveal the passwords in plain text.
Firefox does offer a master password to secure the saved passwords, Google does not.
The passwords save within both browsers when a user selects to “remember” (Firefox) or “save” (Chrome) a password upon entering it into a website. Once in the password manager, Chrome users can select to un-save the passwords and therefore remove them from plain text display. Firefox users can select to 'remove all' saved passwords from the list.
A Mozilla spokesperson told iTnews the company offered two options for storing passwords.
“The default option is to lightly obfuscate these passwords so they are recoverable if you forget them and this option may be preferred by some who do not share their desktop computer,” the spokesperson said.
“For those with greater security concerns, Firefox can protect sensitive information such as saved passwords and certificates by encrypting them using a master password. We make these options clear to users on Mozilla's Support Site."
A Google spokesperson pointed iTnews to a comment on Quora by Google Chrome design lead Glen Murphy, who said:
“We decided that while disallowing 'show password' would prevent casual snooping, it wasn't an honest protection of your data and would provide a false sense of security - even if we didn't have the feature, your locally-stored passwords are accessible to anyone who has access to your computer anyway - they can either just look at your disk, or run some JS (JavaScript) on a page with an autofilled password.”
‘Sh*t a brick’: What the experts say
The issue has received intermittent low-level coverage over the years but is not widely known. Managing director of Lockstep Group Stephen Wilson had been unaware of the issue and said it was a big security concern for online browsers.
“Sh*t a brick,” he said when shown the feature on his Firefox browser. “This shines a light on the issue that passwords when stored locally are supposed to be salted or hashed so they are invisible. I didn’t know they were as visible as this.”
Wilson said it was not good enough that both Google and Mozilla were effectively saying users forfeit their right to have a password remain secure when saving it.
“It’s not reasonable that people don't know this is what their browser is doing. There’s an implied level of computer sophistication that isn’t realistic,” he said.
He said while Google’s end user terms and conditions were “understandable and predictable”, they weren’t fair and reasonable from a trade practices point of view.
“They have got to have some sort of responsibility for usability and utility of tools they give people to secure themselves with. I don’t think that a big internet company can just disclaim all responsibility for passwords when they provide a tool like this, and they don’t provide any other meaningful option.”
Wilson is an advocate of the movement to kill off passwords, an effort to ditch passwords entirely in favour of two-factor authentication. He said issues such as this highlighted the need for such a shift.
“Passwords are a stupid idea for two reasons: they are data people can discover and use against you; and they are generally replayable, they don’t have the two factor properties you need for security,” he said.
“A lot of us have been saying for a long time we need to move to proper two-factor authentication. Passwords are fine for low-rent stuff, logging on to media sites etc, but we need to move to two-factor for banking, healthcare, government and such - the questions is how do you do it. At the moment it’s a bewildering mess of options.”
CEO of Threat Intelligence Ty Miller said he had been aware of the issue for some time but was still surprised both browsers offered clear text password storing as a feature.
“It is a concern. I know there’s been talk around potentially requiring a password to actually gain access to reveal those clear text passwords,” he said.
“Definitely it’s worth the web browsers actually securing that because it’s a surprising feature to a lot of security professionals.”
He said many people in Australia still used a shared PC at home and as such, would be at risk of their accounts being accessed by someone else using the computer.
“We used to occasionally get calls from a husband or a wife concerned their partner had broken into their email and were snooping on what they were doing, and these things happen pretty regularly,” he said.
“If you’re using a shared computer at home you’re opening up a risk of family members or friends abusing that functionality to gain access to your accounts.”
Miller echoed Wilson’s sentiments around removing passwords entirely in favour of two-factor authentication.
“Passwords are something that are a legacy security control that everything is relying on at the moment, and they’re just insecure,” he said.
“The number of security breaches that happen these days, the list is endless, and things like two-factor authentication are definitely an option moving forward. And with mobile you’re no longer relying on hardware tokens that are expensive to hand out, you can use a mobile app or even SMS."
Chief technology officer at Sense of Security Jason Edelstein hadn't been aware of the issue but said he didn’t see the saved password storing feature as a major concern, as the likelihood of another person accessing and using someone’s computer without permission was quite low.
“It would be a major issue if people saved passwords on a kiosk or somewhere shared,” he said. “And certainly on banking sites and such they set a flag in the html when saving sensitive passwords which sets autocomplete to off.”
However he said Chrome and Firefox should have a warning that pops up when a user elects to save a password notifying them it will be stored in such a way.
“Then you’d have transparency,” Edelstein said.
.jpg&h=271&w=480&c=1&s=1)
