Google Chrome ‘Hacked’: How Your Passwords Can Be Exposed

If you’re one of the millions of people using Google Chrome as your preferred browser, and if you happen to have any important passwords saved within the browser itself, you might just want to reconsider how wise that is.

Your data is, of course, at risk any time your computer is stolen, lost or borrowed by another person, but there are various measures we can put in place to protect against this. But whatever security precautions you take, this could all be undone in seconds if you happen to use Google’s browser, as software designer Elliott Kember revealed in a blog post called “Chrome’s Insane Password Security Strategy,” which later sparked an intense discussion on the Hacker News forum.

As Kember explains in his post, if you happen to be using Google Chrome to save and sync your passwords to login to your favourite websites more easily, you could be in a whole lot of trouble. The browser apparently has an inherent security weakness, one that allows intruders to gain full, unrestricted access to all of your passowrds in a matter of seconds, simply by visiting this page in Chrome’s settings: chrome://settings/passwords.

Open that link and you’ll stumble across the cache where all the passwords saved in Chrome are kept, which is synced with all the other devices you use. Okay, I hear you say, what’s so bad about that? Well, that cache can be opened to reveal a plaintext version of your passwords with just one click, allowing anyone using your computer to note down the passwords for your email, Facebook, Twitter, or any other service you access using Chrome.

Your password list, which cannot be locked down, includes the website address, username, and password for every site you’ve saved using Chrome. The passwords are hidden of course, but can easily be unmasked with a single click of the “Show” button.

So if anyone knows about this weakness, and gains access to your computer – perhaps someone used the desktop on your desk at work, or maybe a ‘friend’ just asks to borrow your laptop for two seconds to search something – all it would take is a few seconds for them to quickly glance at your passwords and compromise all of your accounts.

With just a couple of mouse clicks, anyone using your computer can be looking at this:

Unfortunately, this problem isn’t entirely exclusive to Chrome. It also exists in Firefox (passwords can be accessed under the ‘security’ tab), although it at least gives users the option of setting a master password (though this is not the default option). In addition, alternative browsers using the Webkit and Gecko rendering engines, such as Comodo Dragon, Yandex Browser and Opera, are equally at risk.

At least Internet Explorer has done something right for once. It’s not many people’s favorite browser, but with authentication required by default before it’s possible to access passwords in plaintext, it’s probably the safest. The Web Credential Manager stores all of your browser passwords in Windows 7 and 8, and this requires that you input your user password before plaintext versions can be seen.

Naturally, this is going to be a concern for many people using Google Chrome – it’s not just confidential data that could be exposed, but also your private life, your emails, social networks and so on. But at the same time, if Chrome is your favorite browser you’re not going to want to ditch it, so what can you do?

There’s no genuine ‘fix’ for this problem, but you can take extra precautions, such as never leaving your computer unlocked when you move away from it. That’s an obvious step, and you can also lock your admin account and only allow friends to use it with a guest account. Finally, if you really want to be safe, just avoid using Chrome to store your passwords altogether – instead, use a third-party password manager such as Lastpass or RoboForm, which keep all of your logins and passwords in an encrypted state, and require authentication to view them in plaintext.

About Mike Wheatley

Mike loves to talk about Big Data, the Internet of Things, Hacktivists and hacking, but he also hates Google and can never resist having a quick dig at them should the opportunity arise :) Got a REAL news story or tip? Email Mike@SiliconANGLE.com.