The Guardian is reporting that a serious security flaw in Google’s Chrome browser allows anyone with access to a computer to view all of a user’s saved login passwords without providing any form of authentication.
The Guardian, via 9to5Mac:
A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.
Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.
Passwords can be accessed by clicking the menu icon (top-right corner of the window), clicking “Settings”, then clicking “Show advanced settings” at the bottom of the screen, then click “Manage saved passwords” in the “Passwords and forms” section.
Oddly enough, when informed of the flaw, the head of Google’s Chrome developer team, Justin Schuh, said that while Google is aware of the weakness, it has no plans to fix it.
Schuh wrote on Hacker News that “We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything.”
While it is true that if you left almost any browser open and another party gained access to it they would be able to login to websites via the stored passwords, in this instance, the snoop could also take note of your login info and use it on another computer or device.
Most browsers have a similar password reveal option, but require a master password before displaying any passwords.