Showing posts with label Chrome os. Show all posts
Chrome Introduced User Passwords In Plain Text Without Additional Verification
If you've
enabled Google Chrome's 'Offer to save passwords I enter on the web' feature
and have saved some or all of your passwords through it, you should remember to
sign-out of your Google account in Chrome, especially if you use the browser on
a shared computer. Google's popular Web browser allows you to save your
passwords and manage them through a menu in the browser's Settings page. When
you click on 'Manage saved passwords' you get a list of your Saved passwords as
well as a list of websites where you have instructed the browser to 'never
save'. Interestingly, when you click on one of your saved passwords, Google
gives you the option to see the password in plain text by clicking on the
'Show' button which is placed along with the listing. It doesn't ask for a
confirmation or any additional verification by, say, prompting for your Google
account's password.
It's
worth pointing out that this 'vulnerability' - or feature as Google calls it
(see below) - has been present in Chrome since its early days. Once signed in
to your Google account on Chrome, the browser pulls all your bookmarks,
browsing history and passwords. This means that if you forget to sign out while
using Chrome on a shared computer, anyone will be able to access your saved
passwords easily. Or someone sitting next to you while you are using the
computer can distracting you momentarily. Someone accessing your computer
remotely can also see these passwords, if you're not constantly supervising.
The intruder can change the password and block access to your service accounts,
as well. Software designer Elliott Kember pointed out the security flaw through
a blog post. Interestingly, a Chrome developer told Kember on a discussion
thread on Hacker News that the security flaw is in fact a feature of the
browser. He said that the main password boundary for the user was the OS user
account and there were vulnerabilities that could be exploited if that is
breached.
Subscribe to:
Posts
(
Atom
)