Google responds to claims about Chrome password security

Chrome cracked at Pwn2Own and Pwnium contests
Chrome cracked at Pwn2Own and Pwnium contests

Google has denied that there is a flaw in its Chrome browser that allows saved passwords to be viewed in plain text.

After reports emerged that the password section in the browser displays saved passwords in plain text, Google has said that the only strong permission boundary for your password storage is the OS user account.

In a comment, Justin Schuh, Google Chrome browser security lead, confirmed that Chrome uses whatever encrypted storage the system provides to keep passwords safe for a locked account and beyond that, it found that boundaries within the OS user account just aren't reliable.

He said: “Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

“We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour.

“We want to be very clear that when you grant someone access to your OS user account that they can get at everything. Because in effect, that's really what they get.”

The response was given after a blog post by software developer Elliott Kember, who discovered that he was not able to uncheck a 'saved passwords' option on the import setting menu, leading him to discover that all saved passwords can be displayed in plain text in the Chrome settings panel.

He said: “There's no master password, no security, not even a prompt that ‘these passwords are visible'.

“There are two sides to this: the developer's side and the user's side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people: just use 1Pass; the computer is already insecure as soon as you have physical access; that's just how password management works. While all of these points are valid, this doesn't address the real problem: Google isn't clear about its password security.”

Schuh directed people tweeting him about saved passwords to the blog comment, via his Twitter account.

Sign up to our newsletters