Sophos Cloud Optix
Google is getting railed against for exposing plain-text passwords with just a few clicks in its Chrome browser – a security oddity that isn’t new, but which the company hasn’t bothered to explain in any great detail, shrugging off the suggestion that it’s a security hole.
Elliott Kember, a developer at design and development studio Riot, first pointed out what he considers to be Chrome’s lax security in a blog post on Tuesday.
The feature in question is found in Chrome when a user selects Settings | Show advanced settings | Passwords and forms | Manage saved passwords.
At that point, Chrome lists saved passwords, with a highlighted “Show” button that renders a given password in plain text when selected.
“There’s no master password, no security, not even a prompt that ‘these passwords are visible’,” Kember wrote.
Kember came across the feature while doing application development work. At one point, he chose to import bookmarklets (i.e., bookmarks stored in a browser that contain JavaScript commands) from Safari into Chrome.
When he selected Chrome’s “Import bookmarks now” command, he was presented with a checklist of items to import. The third choice in the list, “Saved passwords,” was mandatory, being both checked off but greyed out.
Why have a checkbox at all, Kember mused, when it represents only the illusion of choice?
It was then that he went on to check out Chrome’s password settings and discovered that, unless he locks his screen while he’s away, anybody who sits at his computer can easily see his passwords.
Those technical-minded people to whom he’s brought up the issue have been, apparently, rather dismissive, telling him that this is simply how password management works, that he should really just be using a password manager such as 1Password, and that any computer is insecure as soon as somebody gains physical access to it.
Maybe so, Kember says, but Google’s still being clear as mud about how its security works, and the typical user just doesn’t expect passwords to be so easy to get at:
"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority.
"They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."
Google doesn’t seem inclined to take his criticism to heart.
Justin Schuh, head of Chrome security, weighed in on Kember’s blog post, saying that things are exactly the way Google intends them to be, and whatever Kember’s suggesting doesn’t jibe with the Google way:
"I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position.
"And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome."
In the Hacker News thread where Schuh’s feedback is posted, people are arguing over whether Chrome is, in fact, unique among browsers in its easy accessibility to plain-text passwords.
You can get to plain-text passwords in Firefox, for example, by going to Preferences | Security | Saved passwords.
The difference being, however, that Firefox enables users to set a master password before anybody can get at that plain text list.
That’s a big “if,” though. How many users are aware of the master-password option, and how many actually set it up?
In the end, this sounds more like a gap in perspective between the technically literate and the masses than it does a security bug.
But that doesn’t mean we should tolerate Google’s dismissiveness toward the suggestion that it should more clearly communicate exactly what’s going on with security in its products.
As Sophos’ Maxim Weinstein noted on Dark Reading in late July, and as Brian Krebs wrote about in mid-July, Chrome has gained a reputation for offering protection from web exploits, as criminals have all but given up on attacking its users.
That’s a good thing. But Google doesn’t always get security right – far from it. There have, after all, been holes recently poked in Google’s security reputation.
In July, researchers exposed a gaping hole in code verification on Android due to poor coding.
One week later, well, it was déjà vu all over again.
Chinese researchers found another bug with the same side-effect – a signed-unsigned integer mismatch that once again left a gaping hole in code verification.
Now, ironically enough, we have this plain-text password security issue – not a bug, mind you, but a security weakness nonetheless – that’s done purposefully, as opposed to being a result of bad coding.
Given its missteps with Android security, it just might be time for Google to re-examine its self-image as a security paragon.
Part of that re-evaluation should include listening more closely to the input from users such as Kember.
Maybe he’s a “novice” in the eyes of a Google security guru such as Schuh, but Google’s customers include plenty of people with a lot less know-how than Kember, and their needs have to be taken into account.
Out of curiosity (I never use it, preferring Chrome), I checked how I’ve got Firefox set up. Sure enough, I didn’t have the master password option selected.
OK, that’s fixed now.
Fellow humans of the nontechnical masses, the best takeaway from this kerfuffle that I have gleaned is that we should all check our browsers, given that they all likely render passwords easily readable in various ways.
Are you allowing Google to store your passwords? I stopped a while back, preferring to leave passwords up to the LastPass password management tool.
Now, too, I’ve got a master password set up for Firefox.
Browser and password experts, where else should we be checking for access that exposes our passwords? Your input in the comments section below would be welcome indeed.
And Google, if you’re interested in keeping computing as safe as possible, I would suggest that you lose the attitude when getting input from “novices”.
Image of unlocked padlock courtesy of Shutterstock.
I see Google's point of view and an extension to what they said was with physical access you have all the control you need. However they are already giving users a false sense of security.
When you first save a password in Chrome/Firefox/IE the user does not receive a warning that this is an inherently unsafe operation. Instead it is marketed as an ease of use tool to speed up your browsing etc.
The checkbox in Advanced Settings reads "Offer to save passwords I enter on the web". I always say no to any such offer, preferring to use PasswordSafe for this. However, I find that it has captured passwords (such as my Google account password) that I would never have allowed it to save.
Log out or lock your profile (duh)
Even if you're aware that your passwords are potentially viewable, so long as you lock your PC whenever you're away, you're safe, right?
However imagine a scenario when a user takes their PC into their local Repair Shop for a RAM or hardware upgrade (as most users who don't have a PC-savvy buddy will do). They have to give the shop their password to allow login. So the user must make sure they delete all their Chrome/Firefox passwords before they do so.
Now imagine their Windows installation is damaged (say from a virus, or STOP error) and won't login. When the shop gets Windows working again, and logs on to verify it, they now has access to all the user's web passwords, including possibly Facebook, web email, Twitter, online Banking, Paypal…which the user has been unable to delete because they couldn't logon.
This is a common scenario, and it's putting a helluva lot of trust into your local PC repair shop.
You are mistaken my friend.
Any security aware person will use Two step verification.
Once I have removed my damaged PC from the list of trusted computers you will need to get to my stored passwords my Google password, my cellPhone and the password phrase. Only all three will do.
Of course if you do not trust the shop, it is save to erase your disk first. LOL
In the case of a repair, just stop synchronize and delete all starting from day one.
Of course you will be able to regain all by logging into your account anew.
If this is such an issue (that has existed for so long now) then why did it take a developer to bring it to light and ask the Chrome devs directly rather than, say, a security company like Sophos who hires countless security professionals and analysts?
For me this seems to be insecure as anyone sitting at your unlocked laptop can see your passwords. But fundamentally letting anyone sit at your machine whilst unlocked is an insecure thing to do! They can also hammer your email or many other things… I think this is where Google are coming from – why have a password on your browser when you have a password on your machine?
I think the answer to that is defense in depth. There is normally a time lag before the OS lock kicks in and there is always room for misconfiguration, mistakes and vulnerabilities.
Also, as one of the other comments points out there are situations where you want to give people some form of access to your computer – perhaps to get it repaired or even just screen sharing.
Following that line of thinking, why should a bank have a locked vault when they have a lock on the door that leads to the vault? More security is not a bad thing at all.
Surely it's irrelevant whether a random passer-by can see the passwords. If they are saved then all they'd need to do to get access is to log on to the appropriate website and change the password. The issue here is the decision to save passwords on an unattended unlocked machine that is accessible to others.
This is because google considers all your data and passwords to belong to them, they care not for privacy.
No Tom you're mistaken, you can even tell Chrome not to synchronize your passwords, or not to save them in the first place. And for those who fear to easy access you may use a passwordphrase instead of your account password if you like additional safety.
old news just don’t save passwords and you all good
you just can't trust anybody any longer !
"Sure enough, I didn't have the master password option selected."
Google should add a feature allowing the creation of a master password. Hardly anyone will use it (see above) but it will make the egotistic security researchers happy and that's really what matters.
Nobody in their right mind should ever save a password in a browser.
Hence the warning coming up about not saving if you are using a PUBLIC computer no big deal really
While this isn't exactly a surprise, Google's response is arrogant and very condescending (to a developer no less), and offers no explanation behind their reasoning. They say they have lots of data, but present none, and when they say "what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome." – they don't explain how refusing to reveal passwords would decrease security, nor how they approach security on Chrome.
They shouldn't have responded like that, and really, for completeness of security, they should fix the gaping security flaw, bug or not.
More security theater.
"unless he locks his screen while he's away, anybody who sits at his computer can easily see his passwords"
..well, DUH!
Unless he locks his computer while he's away, anyone who approaches can gain access to anything he can access.
I can do the same thing for any credentials you may have stored in Windows Credentials Manager (read: pretty much any Windows password-saving app) if I get access to your interactive logon.
You can use my PowerShell script to demonstrate this to anyone who doubts the value of locking their session when they walk away.
There is another security hole, in regard to saved passwords, that exists in both Chrome and Firefox by default. If you use the developer tools, you can edit the HTML source on the fly.
Change a password field's type attribute to "text" and it displays the password in plain text. Again, this is using built in, default tools. Even before the developer tools were built in, you could use a third party tool like Firebug. Firebug lite would also work in Internet Explorer, all versions. So bottom line is, your stored browser passwords were never safe.
So many posting here (security professionals, hmmm?) go beyond even the snobbish elitist attitude shown by Google's top dog for Chrome security. "Everyone knows you do this, this and this, or you're just an ignorant moron unworthy of our attention".
The wiser ones, including Lisa and Mark writing for Sophos, have the smarts to realize that the vast majority of users live in a different universe from infosec pros. And even if we all could accept that this is not a browser weakness, there is still the issue of Google (and others) failing to make this vulnerability known to those users. And then to respond the way they did? Utterly and unacceptably obnoxious!
Google's response was annoying. Seeing the audience here echo their attitude just flat-out pissed me off. No wonder there is so much trouble with malware, etc., with the likes of you all supposedly taking care of information security!
Simple solution: Never let a browser save your passwords. I know, it's a minor inconvenience to have to type in your password each time but just give a little thought to the MAJOR inconvenience of having someone get access to your accounts? Really, think about it.
I would never use Chrome for banking for this reason but I do use Chrome for the hundreds of lower level site that I deal with to save time and to avoid the common problem of using the same medium level password for many sites. However a normally careful user can leave their laptop behind or their screen unattended so why not prompt for the google password again before revealing saved passwords? I see that as both sides meeting half way and many sites already allow you to remain logged on for months at time and then force you re-confirm your credentials before making higher level changes.
Your article made me check whether the Master Password prompt intercepted a request to view Firefox’s Saved Passwords. When I clicked Saved Passwords the Master Password prompt did indeed open, however something interesting then happened. Because I did not really want to look at the Saved Passwords, I clicked Cancel, but to my surprise the Saved Passwords box then opened anyway. This may just be my version 23, but I thought that you might/should want to investigate.
Just tested it in Nightly, the window indeed appears, but it's empty. AFAIK the password file is encrypted with the master password, so there should be no way of accessing the file without entering the password.
You guys should try out Maxthon. The most secured browser in the whole world!
Gosh, at the risk of sounding like an idiot…..I have what I’m assuming will be a rather simple question for any of you to answer. At least I hope because I need to understand this.
Okay, so with regard to the “Manage your passwords” option when you are in advanced settings of your chrome browser, I brought up several pages of saved passwords…..most of which I understood why they were there, but one in particular I can’t figure out. If a site/url is listed in the password manager along with the username (I guess that’s what it is) and then a stored password…..does that mean that user literally signs into that specific site? The example I’m using here is:
twitter.com/ (then there’s a name here which I won’t disclose)…..when I’ve tried to sign into twitter using that name at the end with the password it provides it says it’s wrong. However when I sign into twitter with the email address/username and password it works, however it doesn’t seem to go to the name in the saved url. Does that make sense? How is the person who’s username/email is given in the password list related to this twittername if at all? Especially if they have a twitter account that IS NOT this name…..Does it mean they just looked at the page? Or is it their twitter? Or what?
My computer was out of my possession for a short time and I’m wondering if the person who had it is the one who belongs to this twitter account or if they just visited the page or whatever. Knowing would make the difference between utter deception and complete enlightenment. I’m hoping for the best. I only stumbled upon the password list thing by accident.
●●●●●●●●●●