« Top ten most popular smartphone apps list released | Main | Renowned director makes anti-texting & driving video »


Major password security flaw exposed in Chrome


Saved password revealed in Chrome. (Photo: Elliott Kember)

People who use Google Chrome - and save their passwords in the browser - should be aware of a feature that critics are slamming as a major security flaw.

Security experts have found that the web browser stores passwords (saved by users) in an unencrypted format.

All someone needs to do is go into Chrome's password settings page, accessible by typing this into the address bar: chrome://settings/passwords 

The browser will show a list of websites requiring usernames that you've saved in Chrome and the hidden passwords beside each login. Just click the 'Show' button beside a blocked out password to reveal the actual password.

So if anyone got access to the computer, or if the right virus wound its way on to your laptop, the password can be easily exposed and then used maliciously. 

More on Tech:

-Top ten most popular smartphone apps released
-Why telecom giant Verizon shouldn't come to Canada

While you may have created the most challenging password containing upper and lower-case characters, numbers and symbols, it could be useless.

The flaw was exposed by software developer Elliott Kember on his blog (see photo attached).

Since the "bug" got attention, it's prompted a response from Justin Schuh, who works on Chrome's security.

In a response written on Hacker News, he points out that saved passwords are only as secure as the password attached to the operating system of the computer in question.

So if you don't have a password to log into your Windows or Mac computer, you probably should start locking things down. Also, you should avoid lending your computer out to "friends," and don't leave your laptop open - even if you're just stepping away for a quick moment.

He goes on to write: 

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

Will you keep saving your passwords in Chrome? Are you tired of creating difficult passwords that are almost always easy to forget?

More on Tech:

-Google Chromecast to spark cord cutting in Canada?
-UK porn filter to block more than just porn

 - Maurice Cacho, MSN Tech & Gadgets



Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.


Danny BradburyDanny Bradbury

Danny Bradbury is a technology journalist with 20 years' experience. He writes regularly for publications including the Guardian, the Financial Times, the Financial Post, and Backbone magazine. Danny also writes and directs documentaries.

Maurice CachoMaurice Cacho

Maurice Cacho is a Toronto-based journalist mixing his love for tech with a passion for news. He's also CP24's Web Journalist and appears daily on CP24 Breakfast and weekly on the channel's tech show, Webnation, discussing tech news and trends.